AIDE-003 Context Manipulation Coverage D GAP CANDIDATE Execution

Cross-Context Adversarial Prompt Injection

AIDE-003 |

Description

Adversary Behavior: Adversaries manipulate the context provided to AI systems integrated into development environments to influence code generation output by poisoning context sources with adversarial content — through modified source files, documentation, comments, or other artifacts ingested by the AI system.

AI/IDE Mechanism: AI-enabled development tools automatically assemble context from project files, documentation, and other artifacts to inform code generation. The context assembly pipeline does not distinguish between benign project content and adversary-crafted payloads, treating all ingested artifacts as trusted input to the generation model.

Execution Path: The adversary places crafted content in files that the AI system ingests during context assembly. The adversary does not directly execute commands; instead, the adversarial context redirects the AI system's probabilistic generation process through carefully crafted semantic manipulations. The generated code achieves execution when the developer accepts and deploys it. This technique has been demonstrated with a 75.72% success rate across multiple production LLM models using semantically equivalent code transformations that evade traditional program analysis.

Security Impact: Adversaries can redirect code generation to produce vulnerable or backdoored code at scale, with the developer unknowingly accepting and deploying adversary-influenced output. The indirect execution path makes attribution and detection significantly more difficult than direct code injection.

Platforms

Windows macOS Linux

Detection

Analyze context window contents for natural-language instruction patterns embedded in non-configuration files. Compare generated code against known vulnerability patterns. Monitor for divergence between developer intent and generated output. Implement context integrity validation that flags files containing prompt-like instruction patterns in code comments, docstrings, and documentation.

Detecting Data Components (6)

Response Content

Full text of LLM responses including generated code, explanations, and tool call requests.

Token Metadata

Metadata about inference requests including token counts, model selection, latency, and processing parameters.

Code Suggestion Generated

Events capturing each code suggestion produced by the LLM, including code content, context, and security scan results.

File Context Inclusion

Events capturing which local files are included in the LLM context window for each inference request.

External Context Fetch

Events capturing context retrieval from external sources beyond repositories including web pages and MCP resources.

Prompt Content

Full text of prompts sent to the LLM including system prompts, user instructions, and assembled context.

Mitigations (1)

Context Window Content Filtering

Apply input sanitization and prompt injection detection to content entering the LLM context window. Scan for instruction-like patterns in code comments, documentation, and external content. Implement content trust levels differentiating project files from external sources.

Data Sources

Application Log → Application Log Content

File → File Modification

Process → Process Creation

References

mitre-attack

CANDIDATE GAP — Not an official ATT&CK technique. Proposed new technique under Execution tactic.

XOXO Cross-Origin Context Poisoning

Stealthy Cross-Origin Context Poisoning Attacks against AI Coding Assistants

https://arxiv.org/abs/2503.14281

AgentFlayer (Zenity Labs, Aug 2025)

Credential exfiltration from Cursor IDE via adversarial content injected through a Jira ticket — 5-stage kill chain with pipeline-based lateral movement.

https://www.zenity.io/blog/agentflayer

Morris II Worm (Cohen et al., Mar 2024)

Self-replicating adversarial prompts propagated via email to GenAI ecosystems — first demonstrated AI worm with 5 kill chain stages.

https://arxiv.org/abs/2403.02817

BadCodePrompt

First backdoor attack on code generation via few-shot prompting; up to 98.53% ASR on GPT-4, Claude-3.5-Sonnet without training data access (AST journal, 2024)

https://dl.acm.org/doi/abs/10.1007/s10515-024-00485-2

Claude Code Hidden Backdoor (Lasso Security)

Indirect prompt injection in Claude Code via README files, web pages, API responses, and code comments exploiting shell execution and MCP integration (Lasso Security, 2025)

https://www.lasso.security/blog/the-hidden-backdoor-in-claude-coding-assistant

AgentLAB

First long-horizon attack benchmark — intent hijacking, task injection, objective drifting across 28 agentic environments; single-turn defenses fail (arXiv:2602.16901, Feb 2026)

https://arxiv.org/abs/2602.16901

Guardrail Bypassing

100% evasion success against Azure Prompt Shield, Prompt Guard, and 4 other protection systems using character injection and adversarial ML (arXiv:2504.11168, 2025)

https://arxiv.org/abs/2504.11168

RoguePilot

Passive prompt injection via GitHub Issues manipulates Copilot in Codespaces to exfiltrate tokens; no user interaction required (Orca Security, 2025)

https://orca.security/resources/blog/roguepilot-github-copilot-vulnerability/

STIX Metadata

type	attack-pattern
id	attack-pattern--d5d4aecd-fc94-4496-ab59-b7ab3812c0cb
spec_version	2.1
created	2026-02-23T00:00:00.000Z
modified	2026-02-23T00:00:00.000Z
created_by_ref	identity--f5b5ec62-ffbd-4afd-9ee5-7c648406e189
x_mitre_is_subtechnique	False
x_mitre_version	0.1
x_mitre_status	candidate