English

QueryIPI: Query-agnostic Indirect Prompt Injection on Coding Agents

Cryptography and Security 2026-01-15 v3 Artificial Intelligence

Abstract

Modern coding agents integrated into IDEs orchestrate powerful tools and high-privilege system access, creating a high-stakes attack surface. Prior work on Indirect Prompt Injection (IPI) is mainly query-specific, requiring particular user queries as triggers and leading to poor generalizability. We propose query-agnostic IPI, a new attack paradigm that reliably executes malicious payloads under arbitrary user queries. Our key insight is that malicious payloads should leverage the invariant prompt context (i.e., system prompt and tool descriptions) rather than variant user queries. We present QueryIPI, an automated framework that uses tool descriptions as optimizable payloads and refines them via iterative, prompt-based blackbox optimization. QueryIPI leverages system invariants for initial seed generation aligned with agent conventions, and iterative reflection to resolve instruction-following failures and safety refusals. Experiments on five simulated agents show that QueryIPI achieves up to 87% success rate, outperforming the best baseline (50%). Crucially, generated malicious descriptions transfer to real-world coding agents, highlighting a practical security risk.

Keywords

Cite

@article{arxiv.2510.23675,
  title  = {QueryIPI: Query-agnostic Indirect Prompt Injection on Coding Agents},
  author = {Yuchong Xie and Zesen Liu and Mingyu Luo and Zhixiang Zhang and Kaikai Zhang and Yuanyuan Yuan and Zongjie Li and Ping Chen and Shuai Wang and Dongdong She},
  journal= {arXiv preprint arXiv:2510.23675},
  year   = {2026}
}
R2 v1 2026-07-01T07:08:14.871Z