NVIDIA's AI Red Team has released a report detailing how agentic AI developer tools can be exploited to achieve remote code execution (RCE) on developer machines. The research, presented at Black Hat USA in August 2025, highlights vulnerabilities in tools like Cursor, OpenAI Codex, Claude Code, and GitHub Copilot, which are increasingly used to automate coding tasks. The report, published on October 9, 2025, explains how attackers can use indirect prompt injection by adding malicious instructions to untrusted data sources like GitHub issues or pull requests. This allows them to control the actions of these AI agents and execute arbitrary code. The attack works by:

Planting malicious instructions in GitHub issues or pull requests.
Creating seemingly harmless Python packages with hidden payloads.
Tricking the AI agent into installing these packages, leading to RCE.

To prevent such attacks, the report recommends:

Restricting the autonomy of agentic applications.
Enforcing human-in-the-loop approval for sensitive commands.
Isolating fully autonomous agents from sensitive tools and information.
Using tools like NVIDIA's LLM vulnerability scanner garak and NeMo Guardrails to harden LLMs against prompt injection.

The researchers emphasize adopting an "assume prompt injection" approach when designing or evaluating agentic applications. They also note that enterprise controls are available for Cursor to disable auto-run or limit its blast radius. "Agentic coding workflows have unlocked rapid development capabilities across the industry. But to effectively harness this new efficiency, enterprises and developers need to understand the potential risks and adopt mitigating policies," the report concludes.