◈ AI Security Intelligence ← All terms
Attack  ·  Glossary

Indirect Prompt Injection via Workspace Artifacts

Definition
An attack where malicious instructions are embedded in files or artifacts within a developer's workspace (a README, config file, or project directory name), which the AI agent then consumes and executes. The developer may be unaware that cloning a malicious repository has poisoned the AI's context and instructions.
Why it matters
Unlike direct prompt injection (which requires interacting with the chat interface), indirect injection spreads through repository clones and shared codebases. A single malicious repository can silently compromise the AI agents of every developer who opens it, enabling code injection or data exfiltration.
Demonstrated by recent findings
Eclipse Theia AI Chat — Markdown Image Tags Enable Prompt-Injection-Driven Data Exfiltration (CVE-2026-22551)Eclipse Theia — Workspace Task Definitions Execute Arbitrary Code Without Trust Enforcement (CVE-2026-44691)Eclipse Theia AI — Malicious .prompttemplate Files Override AI System Prompts (CVE-2026-46580)Eclipse Theia AI Chat — Workspace File/Directory Names Injected Into AI System Prompt (CVE-2026-44688)
References
OWASP LLM Top 10
Track this in the live feed See how this plays out in real AI security and governance developments.
Open the feed →