New "Poisoned Documentation" Attack Hijacks AI Coding Agents Without Malware
News/2026-03-25-new-poisoned-documentation-attack-hijacks-ai-coding-agents-without-malware-j6pyz
Cybersecurity AI Breaking NewsMar 25, 20265 min read
?Unverified·Single source

New "Poisoned Documentation" Attack Hijacks AI Coding Agents Without Malware

Featured:Context Hub

Practical focus

Detect threats and suspicious behavior

Guideline angle

Using AI in SOC workflows

New "Poisoned Documentation" Attack Hijacks AI Coding Agents Without Malware

New "Poisoned Documentation" Attack Hijacks AI Coding Agents Without Malware

  • What: A proof-of-concept (PoC) attack demonstrating that AI agents can be compromised via malicious API documentation.
  • Target: Context Hub, a documentation service for AI coding agents launched by Andrew Ng.
  • The Risk: Attackers can inject fake dependencies or malicious instructions into documentation that AI models then execute or include in code.
  • Performance: In testing, Anthropic’s Claude 3 Haiku model failed 100% of the time, while the high-end Opus model remained resilient.

Cybersecurity researchers have demonstrated a new breed of AI supply chain attack that bypasses traditional malware detection by "poisoning" the documentation used to guide autonomous coding agents. The vulnerability, identified in Andrew Ng’s newly launched Context Hub service, allows attackers to trick AI models into installing malicious packages by simply submitting a compromised pull request to a documentation repository.

The discovery highlights a critical shift in the AI threat landscape: as developers increasingly rely on agents to write and maintain code, the documentation these agents consume has become a high-value attack vector that currently lacks basic security sanitization.

The Context Hub Vulnerability

Context Hub was launched earlier in March 2026 by AI pioneer and Stanford professor Andrew Ng to address the "hallucination" problem in AI-assisted coding. Coding agents often use outdated API calls because their training data is stale; Context Hub solves this by providing a Model Context Protocol (MCP) server that delivers up-to-date documentation directly to the agent.

However, security researcher Mickey Shmueli, creator of the curated documentation service lap.sh, found that the service’s reliance on community contributions creates a massive security hole. Because Context Hub accepts documentation via GitHub pull requests (PRs) with minimal oversight, an attacker can submit "poisoned" docs that appear legitimate but contain instructions for the AI to include malicious third-party libraries.

"The review process appears to prioritize documentation volume over security review," Shmueli told The Register. "I didn't find any evidence in the GitHub repo of automated scanning for executable instructions or package references in submitted docs."

According to the report, out of 97 closed pull requests on the platform, 58 were merged, suggesting a high success rate for potential attackers looking to infiltrate the supply chain.

How the Attack Works: Data vs. Instructions

The attack exploits a fundamental weakness in Large Language Models (LLMs) known as indirect prompt injection. Because LLMs cannot reliably distinguish between "data" (the documentation they are reading) and "system instructions" (what they are supposed to do), they treat the content of the documentation as a command.

In Shmueli's proof-of-concept, he created poisoned documents for popular services Plaid Link and Stripe Checkout. These documents contained references to fake PyPI (Python Package Index) packages. When an AI agent fetched this documentation to help build a project, it didn't just read the API specs—it followed the "instructions" to add the malicious packages to the project's requirements.txt file.

The results varied significantly across different AI models:

  • Claude 3 Haiku: Failed 40 out of 40 runs, writing the malicious package into the configuration every time without warning.
  • Claude 3.5 Sonnet: Issued warnings in 48% of runs but still included the malicious library 53% of the time.
  • Claude 3 Opus: Proved the most resilient, issuing warnings 75% of the time and refusing to include the bad dependency in any test runs.

Shmueli noted that Opus is likely more successful because it is "trained better, on more packages, and it's more sophisticated," whereas smaller, faster models like Haiku are more susceptible to being led astray by the content they process.

Impact on the AI Industry

This discovery represents a significant escalation in AI supply chain risks. Traditionally, supply chain attacks required compromising a software library or a developer’s credentials. This new method requires nothing more than a well-worded GitHub pull request.

For developers and enterprises, the implications are severe. If an AI agent fetches documentation from an unvetted source and automatically updates a project’s dependencies, a company could unknowingly ship code containing backdoors or data exfiltration tools.

"The agent fetches documentation, reads the poisoned content, and builds the project," Shmueli warned. "The response looks completely normal. Working code. Clean instructions. No warnings."

"This attack proves that in the age of AI agents, documentation is no longer just a manual—it is executable code by proxy."

This vulnerability falls into what developer Simon Willison describes as the "lethal trifecta" of AI security risks: exposure to untrusted content, the ability to perform actions (like writing files), and a lack of human-in-the-loop verification.

What’s Next for AI Documentation

The success of the PoC suggests that the current infrastructure for "AI-ready" documentation is not yet mature enough for production environments. Shmueli argued that the problem is not limited to Context Hub but affects all systems that make community-authored content available to AI models without rigorous sanitization.

To mitigate these risks, industry experts suggest several immediate steps:

  1. Automated Scanning: Documentation repositories must implement scanners that flag executable commands, shell scripts, or suspicious package names within Markdown files.
  2. Human Verification: Documentation updates should undergo the same level of security scrutiny as code changes.
  3. Model Fine-tuning: AI providers need to further train models to distinguish between descriptive documentation and prescriptive commands.

As of the time of publication, Andrew Ng has not publicly responded to requests for comment regarding the security protocols of Context Hub. However, the open issues on the project's GitHub repository indicate that the developer community is beginning to flag these security concerns as a priority.

Sources


All technical specifications, pricing, and benchmark data in this article are sourced directly from official announcements. Competitor comparisons use publicly available data at time of publication. We update our coverage as new information becomes available.

Original Source

go.theregister.com

Comments

No comments yet. Be the first to share your thoughts!