Johann Rehberger

Agentic ProbLLMs: Exploiting AI Computer-Use and Coding Agents This talk demonstrates end-to-end prompt injection exploits that compromise agentic systems. Specifically, we will discuss exploits that ...

Great talk describing the myriad ways coding agents can be re-directed to do stuff they shouldn’t via prompt Injections. Especially nice, changing to yolo-mode so the human in the loop is no longer asked for confirmation of potentially harmful operations (by @wuzzi23.bsky.social at #39c3)

Claude Pirate: Abusing Anthropic's File API For Data Exfiltration · Embrace The Red Claude's Code Interpreter recently got network access, and the default allow-list enables an interesting novel exploit chain that allows an adversary to exfiltrate large amounts of data by uploading f...

Ahoy! 🏴‍☠️

Claude got network access.

When enabled, it can also communicate with Anthropic APIs!

Twist: Attacker sets their own API key in prompt injection payload to upload user's data to their account 🔥

embracethered.com/blog/posts/2...

Great series, kudos.

To rephrase the old joke: the S in VIBE coding stands for Security.

AgentHopper: An AI Virus · Embrace The Red AgentHopper: A proof-of-concept AI Virus

AgentHopper: An AI Virus

Month of AI Bugs Season Finale - Enjoy! 🍿

embracethered.com/blog/posts/2...

AWS Kiro: Arbitrary Code Execution via Indirect Prompt Injection · Embrace The Red Agents That Can Overwrite Their Own Configuration and Security Settings

Episode 26: AWS Kiro

Arbitrary Code Execution via Indirect Prompt Injection

embracethered.com/blog/posts/2...

How Prompt Injection Exposes Manus' VS Code Server to the Internet · Embrace The Red This post shows how an indirect prompt injection can trick Manus to expose the VS code server and at the same time leak its connection password, allowing an adversary to connect over the internet and ...

Episode 25: Manus

How Prompt Injection Exposes Manus' VS Code Server to the Internet

embracethered.com/blog/posts/2...

How Deep Research Agents Can Leak Your Data · Embrace The Red When enabling Deep Research an agent might go off for a long period of time and invoke many tools and leak information from one tool to another.

Episode 24: How Deep Research Agents Can Leak Your Data

embracethered.com/blog/posts/2...

Sneaking Invisible Instructions by Developers in Windsurf · Embrace The Red A vulnerability in Windsurf Cascade allows malicious instructions to be hidden from developers but followed by the AI, leading to potential data exfiltration. Learn how this 'invisible' attack works.

Episode 23: Windsurf

Sneaking Invisible Instructions by Developers in Windsurf

embracethered.com/blog/posts/2...

Windsurf: Memory-Persistent Data Exfiltration (SpAIware Exploit) · Embrace The Red Windsurf is vulnerable to Prompt Injection and also long-term memory persistence, which allows an adversary to persist malicious instructions for a long period of time, aka. SpAIware attack

Episode 22: Windsurf

Windsurf: Memory-Persistent Data Exfiltration (SpAIware Exploit)

embracethered.com/blog/posts/2...

Hijacking Windsurf: How Prompt Injection Leaks Developer Secrets · Embrace The Red Windsurf is vulnerable to indirect prompt injection and can be exploited to leak sensitive source code, environment variables and other information on the host

Episode 21: Hijacking Windsurf

How Prompt Injection Leaks Developer Secrets

embracethered.com/blog/posts/2...

Amazon Q Developer: Remote Code Execution with Prompt Injection · Embrace The Red Amazon Q Developer Compromising Developer Machines

Episode 19: Amazon Q Developer

Remote Code Execution with Prompt Injection

embracethered.com/blog/posts/2...

Amazon Q Developer: Secrets Leaked via DNS and Prompt Injection · Embrace The Red Amazon Q Developer Leaking Sensitive Data To External Systems Via DNS Requests (no human in the loop)

Episode 18: Amazon Q Developer

Amazon Q Developer: Secrets Leaked via DNS and Prompt Injection

embracethered.com/blog/posts/2...

Data Exfiltration via Image Rendering Fixed in Amp Code · Embrace The Red AmpCode is vulnerable to Prompt Injection and it was possible to leak sensitive source code, environment variables and other information on the host

Episode 17: Amp

Data Exfiltration via Image Rendering Fixed in Amp Code

embracethered.com/blog/posts/2...

Amp Code: Invisible Prompt Injection Fixed by Sourcegraph · Embrace The Red Sourcegraph recently fixed a vulnerability that allowed invisible instructions to perform prompt injection and hijack the agent.

Episode 16: Amp code

Invisible Prompt Injection Fixed by Sourcegraph
embracethered.com/blog/posts/2...

Google Jules is Vulnerable To Invisible Prompt Injection · Embrace The Red Jules is vulnerable to Prompt Injection from invisible instructions in untrusted data, which can end up running arbitrary operating system commands via the run_in_bash_session tool

👉 Episode 15: Google Jules

Google Jules is Vulnerable To Invisible Prompt Injection

embracethered.com/blog/posts/2...

Jules Zombie Agent: From Prompt Injection to Remote Control · Embrace The Red Jules is vulnerable to Prompt Injection and can be exploited to leak sensitive source code, environment variables and achieve remote command & control by joining a botnet.

👉 Episode 14: Google Jules

Jules Zombie Agent: From Prompt Injection to Remote Control

embracethered.com/blog/posts/2...

Google Jules: Vulnerable to Multiple Data Exfiltration Issues · Embrace The Red Jules is vulnerable to Prompt Injection and can be exploited to leak sensitive source code, environment variables and other information on the host

👉 Episode 13: Google Jules

Vulnerable to Multiple Data Exfiltration Issues with prompt injection

embracethered.com/blog/posts/2...

The Summer of Johann: prompt injections as far as the eye can see Independent AI researcher Johann Rehberger (previously) has had an absurdly busy August. Under the heading The Month of AI Bugs he has been publishing one report per day across an …

Great summary by @simonwillison.net of @wuzzi23.bsky.social ‘s findings on AI tools vulnerabilities.
In short, all AI tools are vulnerable if one attaches external files and links to their prompts, leading to secrets leaks and remote code execution.
Johann publishes daily until the end of the month.

GitHub Copilot: Remote Code Execution via Prompt Injection (CVE-2025-53773) · Embrace The Red An attacker can put GitHub Copilot into YOLO mode by modifying the project's settings.json file on the fly, and then executing commands, all without user approval

💥 Remote Code Execution in GitHub Copilot (CVE-2025-53773)

👉 Prompt injection exploit writes to Copilot config file & puts it into YOLO mode, and we get immediate RCE

🔥 Bypasses all user approvals

🛡️ Patch is out today. Update before someone else does it for you

embracethered.com/blog/posts/2...

Claude Code: Data Exfiltration with DNS · Embrace The Red Claude Code Can Leak Sensitive Data To External Systems with DNS requests

Episode 11

Claude Code: Data Exfiltration with DNS

embracethered.com/blog/posts/2...

ZombAI Exploit with OpenHands: Prompt Injection To Remote Code Execution · Embrace The Red When processing untrusted data OpenHands can be hijacked to run remote code (RCE) and connect to an attacker's command and control system

Episode 10

ZombAI Exploit with OpenHands: Prompt Injection To Remote Code Execution

embracethered.com/blog/posts/2...

OpenHands and the Lethal Trifecta: How Prompt Injection Can Leak Access Tokens · Embrace The Red OpenHands Coding Agent Data Exfiltration Threats

Episode 9

OpenHands and the Lethal Trifecta: How Prompt Injection Can Leak Access Tokens

embracethered.com/blog/posts/2...

AI Kill Chain in Action: Devin AI Exposes Ports to the Internet with Prompt Injection · Embrace The Red AI Kill Chain in Action: Devin AI Exposes Ports to the Internet with Prompt Injection

Episode 8

AI Kill Chain in Action: Devin AI Exposes Ports to the Internet with Prompt Injection

embracethered.com/blog/posts/2...

How Devin AI Can Leak Your Secrets via Multiple Means · Embrace The Red Data gone, oops.

Episode 7

How Devin AI Can Leak Your Secrets via Multiple Means

embracethered.com/blog/posts/2...

I Spent $500 To Test Devin AI For Prompt Injection So That You Don't Have To · Embrace The Red I Paid $500 to test Devin AI for security vulnerabilities in April 2025. When processing untrusted data Devin can be hijacked to run remote code (RCE) and connect to an attacker's command and control ...

Episode 6

Spent $500 To Test Devin AI For Prompt Injection So That You Don't Have To

embracethered.com/blog/posts/2...

Amp Code: Arbitrary Command Execution via Prompt Injection Fixed · Embrace The Red By automatically allowlisting bash commands or adding a fake MCP server, it was possible for prompt injection to achieve code execution on the developer's machine!

Episode 5

Amp Code: Arbitrary Command Execution via Prompt Injection Fixed

New novel TTP!

embracethered.com/blog/posts/2...

Cursor IDE: Arbitrary Data Exfiltration Via Mermaid (CVE-2025-54132) · Embrace The Red Cursor Data Exfiltration via Mermaid Image Rendering

Episode 4

Cursor IDE: Arbitrary Data Exfiltration Via Mermaid (CVE-2025-54132)

embracethered.com/blog/posts/2...

Anthropic Filesystem MCP Server: Directory Access Bypass via Improper Path Validation · Embrace The Red Improper Path Prefix Validation Allows Access to Alternate Directories

Episode 3

Anthropic Filesystem MCP Server: Directory Access Bypass via Improper Path Validation

embracethered.com/blog/posts/2...

Turning ChatGPT Codex Into A ZombAI Agent · Embrace The Red Common Dependencies Allowlist includes domain that allows full remote control of ChatGPT Codex (ZombAI)

Episode 2

Turning ChatGPT Codex Into A ZombAI Agent

embracethered.com/blog/posts/2...

Episode 1:

Exfiltrating Your ChatGPT Chat History and Memories With Prompt Injection

embracethered.com/blog/posts/2...