RSS

An AI coding agent injected blockchain dead-drop malware into my repo

mihailupu1 pts0 comments

An AI coding agent injected blockchain dead-drop malware into my repo via indirect prompt injection. Full incident report: payload decode, IOCs, and remediation. · GitHub

/" data-turbo-transient="true" />

Skip to content

-->

Search Gists

Search Gists

Sign in

Sign up

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

Instantly share code, notes, and snippets.

mihai-r-lupu/blockchain-c2-ai-agent-injection.md

Last active<br>May 15, 2026 14:37

Show Gist options

Download ZIP

Star

(0)

You must be signed in to star a gist

Fork

(0)

You must be signed in to fork a gist

Embed

Select an option

Embed<br>Embed this gist in your website.

Share<br>Copy sharable link for this gist.

Clone via HTTPS<br>Clone using the web URL.

No results found

Learn more about clone URLs

Clone this repository at &lt;script src=&quot;https://gist.github.com/mihai-r-lupu/d94afd240658c37fb0924609f159431b.js&quot;&gt;&lt;/script&gt;

" readonly="readonly" data-autoselect="true" data-target="primer-text-field.inputElement " aria-describedby="validation-31516c83-1547-45b0-b4f5-3d8c38e339cd" class="form-control FormControl-monospace FormControl-input FormControl-small rounded-left-0 rounded-right-0 border-right-0" type="text" name="gist-share-url-sized-down" />

Save mihai-r-lupu/d94afd240658c37fb0924609f159431b to your computer and use it in GitHub Desktop.

Embed

Select an option

Embed<br>Embed this gist in your website.

Share<br>Copy sharable link for this gist.

Clone via HTTPS<br>Clone using the web URL.

No results found

Learn more about clone URLs

Clone this repository at &lt;script src=&quot;https://gist.github.com/mihai-r-lupu/d94afd240658c37fb0924609f159431b.js&quot;&gt;&lt;/script&gt;

" readonly="readonly" data-autoselect="true" data-target="primer-text-field.inputElement " aria-describedby="validation-f2e25a1e-afa9-440c-9841-4734b091dc9a" class="form-control FormControl-monospace FormControl-input FormControl-small rounded-left-0 rounded-right-0 border-right-0" type="text" name="gist-share-url-original" />

Save mihai-r-lupu/d94afd240658c37fb0924609f159431b to your computer and use it in GitHub Desktop.

Download ZIP

An AI coding agent injected blockchain dead-drop malware into my repo via indirect prompt injection. Full incident report: payload decode, IOCs, and remediation.

Raw

blockchain-c2-ai-agent-injection.md

An AI coding agent injected blockchain dead-drop malware into my repo

TL;DR

An AI coding assistant injected a multi-layer obfuscated JavaScript payload into a legitimate commit on my open-source project. My best assessment is that it arrived via indirect prompt injection — the agent processed external web content during a research task, and that content contained hidden instructions. The payload masqueraded as a font file, used tasks.json to auto-execute on VS Code folder open, and phoned home via the TRON blockchain as a command-and-control dead-drop. It never actually ran — a VS Code Server shell environment failure accidentally protected me. I decoded the full payload statically, rewrote the git history to remove both poisoned commits, and am disclosing the IOCs here.

Background

I maintain Realm, an open-source TypeScript workflow execution engine. I use an AI coding assistant heavily for development. On May 3 2026, the assistant made what looked like a routine cleanup commit to prepare a 0.1.0 release.

How the Injection Likely Happened

I can't pinpoint the exact source without reviewing the agent's full session transcript from May 3, but the mechanism is almost certainly indirect prompt injection .

The attack chain:

I gave the agent a task that involved gathering context from external sources — reading documentation, forum posts, or other web content to inform a decision.

The agent fetched those pages and processed their text as part of its working context.

At least one of those pages contained instructions embedded in its content — not visible to a human reader, but present as plain text the agent parsed alongside the legitimate content.

The agent interpreted those instructions as legitimate directives and executed them: creating the payload file, adding the .vscode/ trigger config, and bundling everything into an otherwise legitimate commit.

The payload is too sophisticated to be spontaneously generated — 4-layer obfuscation, blockchain dead-drop C2 with multi-chain fallback, cross-platform execution path, the specific task.allowAutomaticTasks bypass. It was pre-written. The injection instruction only needed to supply the file contents and the surrounding config. The agent did the rest.

Any external content in the agent's context window is a potential injection vector: forum threads, GitHub issues, npm README pages, Stack Overflow answers, documentation sites. The attacker needs only to...

agent gist injection blockchain clone payload

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.