Trust Me, Import This: Dependency Steering Attacks via Malicious Agent Skills

TL;DR

This paper introduces Dependency Steering, a novel attack method that manipulates coding agents to favor malicious packages without altering model weights or prompts.

Contribution

It presents a Skill-level optimization approach to induce targeted package hallucinations in LLM-powered coding agents, revealing a new supply chain attack vector.

Findings

Dependency Steering achieves high targeted hallucination rates.

The attack transfers across different models and tasks.

It remains difficult to detect with current scanners and auditors.

Abstract

LLM-powered coding agents increasingly make software supply chain decisions. They generate imports, recommend packages, and write installation commands. Prior work showed that these systems can hallucinate non-existent package names, which attackers may register as malicious packages. In this paper, we show that this risk is not only a passive model failure. It can be actively induced through the persistent Skill artifact. We introduce Dependency Steering, an attack paradigm in which a malicious Skill biases a coding agent toward an attacker-controlled package during benign coding tasks. The attack does not require modifying model weights, training data, or user prompts. To construct realistic attacks, we design a Skill-level optimization method that searches for localized semantic edits that preserve the apparent purpose of the original Skill while increasing targeted package generation. Across multiple coding-oriented LLMs and programming benchmarks, Dependency Steering achieves high targeted hallucination rates, transfers across models and task domains, and remains difficult for evaluated Skill scanners and LLM-based auditors to detect. Our results show that persistent agent instructions form an underexplored software supply chain attack surface.