Prompt Injection Attacks on Agentic AI Coding Assistants: Systematization of Knowledge

Global: Prompt Injection Attacks on Agentic AI Coding Assistants: Systematization of Knowledge

A new arXiv preprint released in January 2026 presents a systematic analysis of prompt injection attacks targeting agentic AI coding assistants such as Claude Code, GitHub Copilot, and Cursor. The authors examine how these assistants—built on large language models (LLMs) integrated with file systems, shell access, and the Model Context Protocol (MCP)—have introduced a novel class of security vulnerabilities. By reviewing 78 studies published between 2021 and 2026, the paper quantifies attack success rates, evaluates existing defenses, and proposes a comprehensive mitigation framework.

Three‑Dimensional Attack Taxonomy

The study introduces a three‑dimensional taxonomy that classifies attacks according to delivery vectors, attack modalities, and propagation behaviors. Delivery vectors encompass input manipulation, tool poisoning, and protocol exploitation. Attack modalities span multimodal injection and cross‑origin context poisoning, while propagation behaviors describe how malicious prompts spread across toolchains and execution environments. This structure unifies previously disparate classifications and facilitates systematic comparison of techniques.

Scope of Exploitable Techniques

Researchers catalog 42 distinct attack techniques, ranging from crafted code snippets that trigger unintended tool actions to malicious files that corrupt the assistant’s internal state. Notably, the analysis highlights skill‑based architecture vulnerabilities, where modular components can be subverted to execute arbitrary commands. The authors report that adaptive attack strategies achieve success rates exceeding 85 % against state‑of‑the‑art defensive measures.

Evaluation of Existing Defenses

The paper reviews 18 defense mechanisms documented in prior literature, including sandboxing, input sanitization, and model‑level prompt filtering. Empirical findings indicate that most defenses mitigate less than 50 % of sophisticated attacks, underscoring a gap between current protective measures and the evolving threat landscape.

Implications for the Security Community

According to the authors, the prevalence of high‑success‑rate attacks suggests that prompt injection should be treated as a first‑class vulnerability class. They argue that ad‑hoc filtering is insufficient and that architectural‑level mitigations are required to safeguard development pipelines that rely on agentic assistants.

Proposed Defense‑in‑Depth Framework

The authors propose a defense‑in‑depth framework that combines rigorous tool provenance verification, context isolation, and continuous monitoring of model‑assistant interactions. By aligning mitigation strategies with the three dimensions of their taxonomy, the framework aims to reduce attack surface while preserving the productivity benefits of AI‑augmented coding.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.