Overview
Supply chain attack targeting Kilo Code AI Agent users via prompt injection embedded in upstream dependencies. Malicious instructions in package metadata or code comments manipulate the agent's behavior when processing the compromised dependency.
Who Is Affected
Reported by mcpsec.dev. Affects users of the Kilo Code AI development agent who work with third-party dependencies.
Where It Exists
The attack vector is through the software supply chain. Prompt injection payloads are embedded in npm package descriptions, README files, code comments, or documentation of upstream dependencies.
When It Was Found
Advisory published October 2, 2025 on mcpsec.dev.
How It Works
An attacker publishes or compromises a dependency package, embedding prompt injection in code comments, package metadata, or documentation. When a Kilo Code user's agent processes this dependency (during installation, code review, or documentation lookup), the injected instructions execute, potentially installing malicious MCP servers, exfiltrating data, or modifying code.
Impact
Supply chain compromise through AI agent manipulation. The attack can propagate to all users of the affected dependency. Unlike traditional supply chain attacks that require malicious code execution, this exploits the AI agent's instruction-following behavior -- the payload only needs to be read, not executed.
Mitigation
Implement prompt injection detection for all dependency content. Pin dependencies to verified versions with integrity hashes. Isolate AI agent processing of external code from sensitive operations. Review all dependency changes before allowing agent processing.