AIDE-007 Impact Coverage D GAP CANDIDATE Impact

Adversarial Code Generation Steering

AIDE-007 |

Description

Adversary Behavior: Adversaries influence AI code generation systems to systematically produce source code containing known vulnerability patterns while maintaining functional correctness.

AI/IDE Mechanism: AI code generation systems produce code based on contextual input including project files, comments, and instruction files. Through prompt injection or context manipulation, the generation model can be directed to prefer insecure coding patterns — such as string-concatenated SQL queries, deprecated cryptographic algorithms, disabled certificate validation, insecure deserialization, or missing input sanitization — without affecting the functional correctness of the output.

Execution Path: The adversary injects instructions that bias the AI toward insecure code patterns. The generated code passes functional testing because it produces correct output for expected inputs, but contains exploitable vulnerabilities. The attack has been demonstrated through IDE plugins that inject malicious code comments as attack strings, increasing insecure code generation rates by over 50% across 16 CWEs in 5 programming languages.

Security Impact: The adversary introduces systematic security flaws at scale across any codebase where compromised AI suggestions are accepted. Vulnerabilities are distributed across the codebase and blend with developer-written code, making identification through conventional code review extremely difficult.

Platforms

Windows macOS Linux

Detection

Apply static application security testing to LLM-generated code before acceptance. Monitor for statistically anomalous patterns in generated code vulnerability rates. Compare generated code against the CWE top 25 and OWASP top 10 vulnerability catalogs.

Detecting Data Components (4)

Prompt Content

Full text of prompts sent to the LLM including system prompts, user instructions, and assembled context.

Response Content

Full text of LLM responses including generated code, explanations, and tool call requests.

Code Suggestion Accepted/Rejected

Events capturing the developer's decision to accept or reject a code suggestion.

Code Suggestion Generated

Events capturing each code suggestion produced by the LLM, including code content, context, and security scan results.

Mitigations (1)

Generated Code Security Scanning

Apply inline SAST/security scanning to AI-generated code before presentation to the developer. Track vulnerability detection rates over time to identify adversarial steering patterns. Block acceptance of code with known vulnerability patterns.

Data Sources

Application Log → Application Log Content

File → File Creation

References

mitre-attack

CANDIDATE GAP — Proposed new technique under Impact tactic.

INSEC Black-Box Adversarial Attacks on Code Completion

Black-Box Adversarial Attacks on LLM-Based Code Completion

https://arxiv.org/abs/2408.02509

Copilot Backdoor (Trail of Bits, Aug 2025)

Prompt injection via GitHub issues caused Copilot to insert backdoors into generated code that passed human code review.

https://blog.trailofbits.com/2025/08/

BadCodePrompt

Trigger insertion into few-shot examples achieves 98.53% ASR for generating backdoored code; stronger reasoning models show higher vulnerability (AST journal, 2024)

https://dl.acm.org/doi/abs/10.1007/s10515-024-00485-2

STIX Metadata

type	attack-pattern
id	attack-pattern--4c1912c5-2f71-4e60-9588-e003fce42854
spec_version	2.1
created	2026-02-23T00:00:00.000Z
modified	2026-02-23T00:00:00.000Z
created_by_ref	identity--f5b5ec62-ffbd-4afd-9ee5-7c648406e189
x_mitre_is_subtechnique	False
x_mitre_version	0.1
x_mitre_status	candidate