This talk will demonstrate real-world prompt injection attacks that compromise agentic systems. Specifically, exploits will target computer-use and coding agents, such as OpenAl's Operator, Google Jules, Gemini CLI, Anthropic's Claude Code, Devin from Cognition and others. Yes, I spent $500 USD to hijack and exploit Devin, so that you don't have to.
The talk will show disastrous consequences of having agents autonomously operate. The talk will expose critical vulnerabilities that threaten confidentiality, system integrity, and the future of Al-driven automation, including RCE, exfiltration of sensitive information such as access tokens, and even joining Agents to traditional command and control infrastructure, known as "ZombAls", a term first coined by the presenter as well as long-term prompt injection persistence with Al agents.
Additionally, the talk explores how nation state TTPs such as ClickFix apply to Computer-Use systems and how they can trick AI systems and lead to full system compromise (AI ClickFix). Finally, we will cover current mitigation strategies and forward-looking recommendations and strategic thoughts.
Key Takeaways
- Exploitation vectors in Al coding agents
- Complex attack chains that combine multiple novel techniques
- Overview of various coding agents and their security posture
- ClickFix TTP currently used by nation state actors and that AI systems are similarly vulnerable
