Microsoft researchers have found that prompt injection attacks can trick AI coding agents into revealing sensitive credentials stored in software development pipelines. The finding, which the company published this week, underscores a new security risk as developers increasingly rely on AI assistants to write and test code automatically.
How the Attack Works
Prompt injection is a technique where an attacker inserts malicious instructions into input that an AI model processes. The Microsoft team showed that by embedding such commands in code comments, documentation, or even pull requests, a threat actor could manipulate an AI coding agent into exfiltrating API keys, database passwords, and other secrets.
The researchers demonstrated the attack against agents that use large language models to interact with git repositories, cloud services, and CI/CD tools. Instead of simply generating code, the injected prompts redirected the agent to read credential files and send them to an external server.
Software development pipelines often store credentials as environment variables or in vaults accessible to build tools. AI agents, designed to automate mundane tasks, may have elevated permissions to those systems. The Microsoft research shows that without proper guardrails, an attacker could exploit that trust to steal secrets without ever touching the production network.
The attack doesn't require the AI model to be compromised — it just needs the agent to follow a poisoned instruction. That makes it hard to detect with traditional code scanning, because the malicious input can look like a normal comment or description.
What Developers Can Do
Microsoft advises teams to review how their AI coding agents handle user-generated content. The company recommends limiting agent permissions to only the resources they need, implementing strict output filtering, and treating any data that flows through an AI pipeline as potentially untrusted.
Enterprise security teams are being urged to test their own pipelines against this attack vector. The research paper includes a description of the injection technique and examples of how it can be used against common agent frameworks.
No official fix has been released yet. Microsoft says it is working on tooling that can detect prompt injection attempts in real time, but the company hasn't given a timeline for when that will be available.
