Technical description
Forcepoint senior security researcher Mayur Sewani published research on April 22, 2026 identifying 10 indirect prompt injection (IPI) payloads targeting AI agents with malicious instructions designed to achieve financial fraud, data destruction, API key theft, and system compromise. One payload attempts to force LLM-powered coding assistants or agentic AI with shell access to execute a Unix command for recursive forced deletion of files and directories. Researchers emphasized that the attack surface is highest for AI assistants integrated into IDEs, terminal environments, and developer tools.
Attack vector
Indirect prompt injection attacks embed malicious instructions in external content (documents, web pages, code repositories) that AI agents ingest. When the agent processes the content, the injected prompt overrides legitimate user instructions, causing the agent to execute unauthorized actions. The disclosed payloads target agentic workflows with tool-use capabilities, particularly those with shell access or file-system permissions.
Affected systems
AI coding assistants, developer tools, agentic AI with shell access, LLM-powered terminal integrations, and any AI agent capable of reading external documents or web content and executing system commands.
Mitigation
Implement strict input validation for all external content before agent ingestion. Restrict tool and data access to the minimum necessary per agent role. Enforce human-in-the-loop approval for high-risk actions (file deletion, system commands, API key access). Deploy monitoring for anomalous agent behavior, particularly privilege escalation or unexpected tool invocations. Separate agent execution environments from production systems.