Definition
An attack where an adversary injects malicious instructions or code into a resource that an AI coding assistant will read — such as a README file, a software package, or an MCP server response — causing the agent to silently execute harmful commands on the developer's machine. Because these agents run with the developer's full account privileges, a single poisoned file in a cloned repository can steal credentials, install backdoors, or exfiltrate source code without any user clicking anything. Research (GuardFall, TrustFall) shows this works against the majority of popular open-source AI coding agents.
Why it matters
Every developer using an AI coding assistant is a potential entry point into corporate infrastructure: one compromised package or repository can cascade into stolen cloud credentials, source code theft, or lateral movement across the organisation's systems.