Prompt injection hidden in open-source library targeted AI coding agents — and deleted output files

A maintainer of jqwik, a Java property-based testing library, quietly added an undisclosed prompt injection payload to the codebase — one specifically crafted to be read and executed by AI coding agents rather than by the Java runtime itself. When an AI assistant ingested the library's code as context, the hidden instruction directed it to delete application output files. No compiler warning, no runtime exception; the attack surface was the LLM, not the JVM.

The motivation, reportedly, was frustration with "vibe coders" — developers who lean entirely on AI assistants to generate and ship code without understanding what it does. Whether you find that grievance sympathetic or not is beside the point: the technique worked, and that's what matters for anyone building with AI tooling today.

This is a textbook supply-chain prompt injection. The attack requires no vulnerability in the AI model itself. It only requires that the agent reads third-party source files — which is exactly what tools like GitHub Copilot Workspace, Cursor, and similar agentic environments do by default when they pull in dependencies for context. The malicious text looks like a comment or documentation to a human reviewer but reads as an imperative instruction to an LLM.

The practical exposure is significant. Agentic coding workflows that automatically index node_modules, Maven dependencies, or any vendored source are ingesting untrusted text and treating it with a level of authority it was never meant to have. A more destructive or stealthy payload — exfiltrating secrets, introducing subtle logic bugs, silently modifying test assertions — would follow the same vector.

What you can do right now: audit which files your AI coding assistant is allowed to index and restrict it to first-party code where possible. Treat AI-generated actions that touch the filesystem, network, or credentials with the same skepticism you'd apply to a shell script from a stranger. If you maintain or consume open-source libraries, start thinking about prompt injection as a supply-chain risk category alongside dependency confusion and typosquatting — because attackers certainly will.