Researchers Demonstrate Query-Agnostic Prompt Injection Threat to Coding Assistants

Global: Researchers Demonstrate Query-Agnostic Prompt Injection Threat to Coding Assistants

A team of researchers announced a new attack paradigm, termed query-agnostic indirect prompt injection (QueryIPI), that enables malicious code execution in integrated development environment (IDE) assistants regardless of the specific user query. The study, posted on arXiv in October 2025, outlines how the technique exploits invariant components of the agent’s prompt, such as system instructions and tool descriptions, to bypass safety mechanisms.

Background and Motivation

Modern coding agents embedded in IDEs combine powerful development tools with elevated system privileges, creating a broad attack surface. Prior investigations into indirect prompt injection have largely focused on query‑specific triggers, which require precise user inputs and thus suffer from limited generalizability. The authors argue that a more robust approach must target the stable elements of the prompt that remain constant across interactions.

QueryIPI Framework

QueryIPI is an automated framework that treats tool descriptions as optimizable payloads. It begins by generating seed payloads aligned with the agent’s conventions, using the invariant system prompt as a foundation. Through iterative, black‑box optimization and reflective prompting, the framework refines these payloads to overcome instruction‑following failures and safety refusals.

Experimental Evaluation

The authors evaluated QueryIPI against five simulated coding agents. Results show a success rate of up to 87%, markedly higher than the 50% achieved by the strongest baseline method. The experiments demonstrate that the approach reliably executes malicious payloads under arbitrary user queries.

Real‑World Transferability

Importantly, payloads generated in the simulated environment were found to transfer to actual coding assistants deployed in real IDEs, indicating a practical security risk beyond controlled test settings.

Implications for Security

These findings suggest that existing defenses, which often rely on detecting anomalous user inputs, may be insufficient against attacks that manipulate invariant prompt elements. The work underscores the need for developers of coding agents to reconsider safety architectures that account for prompt‑level vulnerabilities.

Future Directions

The researchers recommend further study into mitigation strategies, including dynamic prompt sanitization and stricter isolation of tool description handling, to reduce the attack surface exposed by query‑agnostic injection techniques.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.