QueryIPI: Query-agnostic Indirect Prompt Injection on Coding Agents

TL;DR

This paper introduces QueryIPI, a novel query-agnostic attack method that exploits invariant prompt components to reliably execute malicious payloads across various user queries in coding agents, revealing significant security vulnerabilities.

Contribution

The paper proposes a new attack paradigm, query-agnostic IPI, and an automated framework, QueryIPI, that leverages prompt invariants and optimization to improve attack success rates.

Findings

QueryIPI achieves up to 87% success rate in simulated environments.

Generated malicious prompts transfer effectively to real-world coding agents.

Query-agnostic approach outperforms previous query-specific IPI methods.

Abstract

Modern coding agents integrated into IDEs orchestrate powerful tools and high-privilege system access, creating a high-stakes attack surface. Prior work on Indirect Prompt Injection (IPI) is mainly query-specific, requiring particular user queries as triggers and leading to poor generalizability. We propose query-agnostic IPI, a new attack paradigm that reliably executes malicious payloads under arbitrary user queries. Our key insight is that malicious payloads should leverage the invariant prompt context (i.e., system prompt and tool descriptions) rather than variant user queries. We present QueryIPI, an automated framework that uses tool descriptions as optimizable payloads and refines them via iterative, prompt-based blackbox optimization. QueryIPI leverages system invariants for initial seed generation aligned with agent conventions, and iterative reflection to resolve instruction-following failures and safety refusals. Experiments on five simulated agents show that QueryIPI achieves up to 87% success rate, outperforming the best baseline (50%). Crucially, generated malicious descriptions transfer to real-world coding agents, highlighting a practical security risk.