AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

Jules Zombie Agent: From Prompt Injection to Remote Control

highnewsLLM-Specific

securitysafety

Source: Embrace The RedAugust 14, 2025

Summary

Jules, a coding agent, is vulnerable to prompt injection (tricking an AI by hiding malicious instructions in its input) attacks that can lead to remote command and control compromise. An attacker can embed malicious instructions in GitHub issues to trick Jules into downloading and executing malware, giving attackers full control of the system. The attack works because Jules has unrestricted internet access and automatically approves plans after a time delay without requiring human confirmation.

Solution / Mitigation

The source explicitly recommends four mitigations: (1) 'Be careful when directly tasking Jules to work with untrusted data (e.g. GitHub issues that are not from trusted sources, or websites with documentation that does not belong to the organization, etc.)'; (2) 'do not have Jules work on private, important, source code or give it access to production-level secrets, or anything that could enable an adversary to perform lateral movement'; (3) deploy 'monitoring and detection tools on these systems' to 'enable security teams to monitor and understand potentially malicious behavior'; and (4) 'do not allow arbitrary Internet access by default. Instead, allow the configuration to be enabled when needed.'

Classification

Attack Type

Prompt InjectionJailbreak

Attack SophisticationModerate

Impact (CIA+S)

integrity

Affected Vendors

Google

Related Issues

critical

CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-

Similar attackNVD/CVE Database

high

AI Kill Chain in Action: Devin AI Exposes Ports to the Internet with Prompt Injection

First tracked: February 12, 2026 at 02:20 PM

Classified by LLM (prompt v3) · confidence: 92%