{"id":103856,"date":"2025-09-15T16:00:48","date_gmt":"2025-09-15T14:00:48","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=zero-post&#038;p=103856"},"modified":"2026-04-21T17:53:35","modified_gmt":"2026-04-21T15:53:35","slug":"lies-in-the-loop-bypasses-ai-agent-defenses","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/","title":{"rendered":"Bypassing AI Agent Defenses With Lies-In-The-Loop"},"content":{"rendered":"<style type=\"text\/css\">@import url(\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/styles\/vs2015.min.css\");@font-face{font-family:'Hack';src:url('https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/hack-font\/3.3.0\/web\/fonts\/hack-regular-subset.woff2') format('woff2')}:root{--code-font:'Hack','Menlo','Consolas',monospace !important;--code-bg:#1e1e1e;--code-color:#0c1;--code-dim:#071;--text-color:#121185;--highlight-color:#f8ff91;--highlight-color-alt:#736ca0}article.content{max-width:100% !important;min-width:80% !important;width:99% !important}.wp-block-code code{text-wrap:nowrap !important}figure{margin-top:1.5rem;margin-bottom:1.5rem}p.caption,figcaption{font-size:1rem !important;font-style:italic !important;color:var(--code-dim) !important}p.caption *,figcaption *{font-size:inherit !important}div.callout{max-width:80% !important;padding-top:.5rem;padding-bottom:.5rem;margin-top:1rem;margin-bottom:1rem;display:block;margin-left:10%;border-top:.3rem solid #121185;border-bottom:.3rem solid #121185}div.callout p{font-size:x-large;text-align:left;font-weight:bold}.cxzero-video-include{display:block;max-width:1920px;width:100%;padding-top:1rem;padding-bottom:1rem}.cxzero-video-include video{display:block;padding:.5rem;background-color:var(--code-bg);width:98%;object-fit:cover}pre.wp-block-code,pre.highlighted-code,pre.sourceCode,pre{border:1px solid var(--code-color);width:90%;background-color:var(--code-bg);color:var(--code-color);margin:1em;padding:2em;overflow-x:scroll;font-family:var(--code-font);font-size:10.5pt;line-height:1.1em;text-wrap:nowrap !important;box-shadow:5px 5px 13px 0 var(--code-bg)}* kbd,* code,* tt{font-family:var(--code-font);padding-inline:.5em;color:var(--code-dim);font-size:85%}pre code{color:var(--code-color);font-size:90%}pre.highlighted-code span{font-family:var(--code-font);font-size:10.5pt;color:var(--code-color)}pre.highlighted-code span.comment{font-style:italic;color:var(--code-dim)}pre.highlighted-code span.keyword,pre.highlighted-code span.preproc{font-weight:bold;font-style:oblique}blockquote,blockquote *{font-size:1.375rem !important;font-style:italic !important}blockquote{border-left:.1rem solid;padding-left:1rem}mark,mark *{background-color:var(--highlight-color) !important}mark.ai-content,mark.ai-content *{background-color:var(--highlight-color-alt) !important;color:#fff !important}.cxzero-cve-block{border:1px solid var(--code-color,#0c1);padding:.5rem;p{padding:0;margin:0}span.vulndesc{display:block;font-size:.9rem;font-weight:400;font-style:italic}span.cvss::before{content:\"  \"}span.cvss{background:#fe0}span.cvss.critical{background:#c00;color:#eee}span.cvss.high{background:#ffac1c;color:#0015ff}span.vector::before{content:\"\u25b8\"}span.vector,span.vector *{overflow-wrap:break-word;font-family:var(--code-font);font-size:10pt}.kev{display:block;font-weight:bold}.kev::before{content:\"\u203c\ufe0f\"}}.print-source-info{display:none}@media print{.header,.header *,.article-nav,.article-nav *,.aticle-nav,.aticle-nav *,.section_latest,.section-latest *,footer,footer *,.section-menu-page,.section-menu-page *,.top-menu,.top-menu *,.top-menu__container,.top-menu__container *,.section-zero-article,.section-zero-article *{display:none}@page{margin:13mm !important}.section-aticle-header__image-or-video{max-width:125mm}.print-source-info{display:block;border-left:.2rem solid #000;font-style:italic !important;font-size:85%;padding-left:1rem}}<\/style> <script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/highlight.min.js\" integrity=\"sha512-EBLzUL8XLl+va\/zAsmXwS7Z2B1F9HUHkZwyS\/VKwh3S7T\/U0nF4BaU29EP\/ZSf6zgiIxYAnKLu6bJ8dqpmX5uw==\" crossorigin=\"anonymous\" referrerpolicy=\"no-referrer\"><\/script> <script>hljs.highlightAll();<\/script> \n\n\n\n<p class=\"print-source-info\"><script>document.write(\"Copyright Checkmarx, all rights reserved. Retrieved \"+new Date().toLocaleDateString()+\" from<br\/>\"+window.location.href);<\/script><noscript>This document copyright Checkmarx, all rights reserved.<\/noscript><\/p>\n\n\n\n<p>Checkmarx Zero has identified a new type of attack against AI agents that use a \u201chuman-in-the-loop\u201d safety net to try to avoid high-risk behaviors: <strong>we\u2019re calling it \u201clies-in-the-loop\u201d (LITL)<\/strong>. It lets us fairly easily trick users into giving permission for AI agents to do extremely dangerous things, by convincing the AI to act as though those things are much safer than they are.<\/p>\n\n\n\n<p>Our examples here are based on Claude Code, one of the leading AI code assistants on the market. We chose Claude Code because it\u2019s well-known and has an excellent reputation for considering user safety and taking vulnerability reports seriously, and because <a href=\"https:\/\/checkmarx.com\/zero-post\/bypassing-claude-code-how-easy-is-it-to-trick-an-ai-security-reviewer\/\">we\u2019ve already documented some general risks<\/a> with its security review feature. But <strong>this tactic is not unique to Claude Code or AI code assistants<\/strong>. It\u2019s generally applicable to any AI agent that relies on \u201chuman-in-the-loop\u201d interactions for safety or security.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"628\" height=\"522\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig1-diagram_of_flow-logomarked.webp\" alt=\"Flowchart diagram illustrating the process flow for an AI code review system. It shows inputs of code, review stages by Claude Code, checks for vulnerabilities, and possible outcomes including \u201csafe,\u201d \u201cmissed vulnerability,\u201d or \u201cmalicious code execution.\u201d Arrows connect boxes to show the step-by-step progression through detection, testing, and execution paths.\" class=\"wp-image-104058\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig1-diagram_of_flow-logomarked.webp 628w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig1-diagram_of_flow-logomarked-300x249.webp 300w\" sizes=\"(max-width: 628px) 100vw, 628px\" \/><figcaption class=\"wp-element-caption\">Basic workflow of an attack leveraging LITL<\/figcaption><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">Making dangerous code look safe<\/h2>\n\n\n\n<p>Human-in-the-loop (HITL) defenses are a safeguard where sensitive actions require human approval before an AI agent executes them. This ensures an LLM cannot independently perform high-risk operations without explicit confirmation. HITL is particularly important for code assistants, which often lack other safeguards since they need the ability to perform sensitive actions, like executing OS commands. But humans can be tricked, and agents don\u2019t do enough to prevent this.<\/p>\n\n\n\n<div class=\"callout\"><p>[a] human can only respond to what the agent prompts them with, and what the agent prompts the user is inferred from the context the agent is given. It\u2019s easy to lie to the agent<\/p><\/div>\n\n\n\n<p>At the core of the issue is the context a user \u2013 in this case, a developer \u2013 has when being prompted what to do. This context can be controlled by an attacker, resulting in a dangerous action looking seemingly safe. Consider using Claude Code\u2019s recommended `<code>\/github-issue<\/code>` command to analyze a GitHub issue placed by an untrusted user.<\/p>\n\n\n\n<p>Here\u2019s what we see in Visual Studio Code:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"595\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig2-vscode_static_view-1024x595.webp\" alt=\"\" class=\"wp-image-103860\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig2-vscode_static_view-1024x595.webp 1024w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig2-vscode_static_view-300x174.webp 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig2-vscode_static_view-768x446.webp 768w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig2-vscode_static_view.webp 1088w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">VSCode window showing the tampered HITL prompt from Claude Code<\/figcaption><\/figure>\n<\/div>\n\n\n<p>This looks completely safe. The issue reports a command injection, and Claude Code wants to write a \u201csafe code snippet\u201d you can insert into your application to fix the issue. Claude is careful and asks a user for permission \u2014 a \u201chuman-in-the-loop\u201d defense \u2014 as it does with any activity that involves local access. So of course we say \u201cYes\u201d.<\/p>\n\n\n\n<div class=\"cxzero-video-include\">\n<video muted controls controlslist=\"nodownload noremoteplayback\">\n<source src=\"\/wp-content\/uploads\/2025\/09\/CC_Clip.mp4\" type=\"video\/mp4\">\n<p><em>Your browser cannot display this video content<\/em><\/p>\n<\/video>\n<p class=\"caption\">Claude Code is running whatever commands the attacker wants; in this case, just opening the calculator<\/p>\n<\/div>\n\n\n\n<p>While this example is benign\u2014only opening a calculator\u2014the attacker could prompt Claude Code to run any arbitrary command, making this a Remote Code Execution via prompt injection. This behavior is exactly what Claude Code aims to prevent with its human-in-the-loop permission prompt; but <strong>we\u2019ve successfully tricked that prompt into communicating a plan for safe and reasonable behavior, hiding our true intentions.<\/strong><\/p>\n\n\n\n<p>As with similar user-deception attacks, like phishing, a very cautious user may examine the context more carefully and has a chance of noticing the risky code. But the attacker\u2019s ability to both obfuscate the malicious behavior itself and insure that it\u2019s buried way above a more benign description tricked every developer we had test this into executing our malicious payload\u2014<strong>the attack works in practice.<\/strong><\/p>\n\n\n\n<p>Though keep in mind that&nbsp;<strong>interactions with LLMs are not deterministic<\/strong>, and not everything is fully reproducible consistently in each and every run; which means attackers are motivated to use this tactic broadly and in cases where developers and other users will repeatedly use potentially risky features of the AI agent.<\/p>\n\n\n    <div class=\"section-zero-article light-theme\">\n        <div class=\"section-zero-article__wrapper\">\n            <div class=\"section-zero-article__nav-wrapper\">\n\t\t\t\t<div class=\"section-article-title\">Want research like this in your inbox?<\/div>\n                <button class=\"section-article-button\">Subscribe                    <img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/right_up_big.svg\" alt=\"right\">\n                <\/button>\n            <\/div>\n            <img decoding=\"async\" class=\"visual-image\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/visual-article.png\" alt=\"visual\">\n        <\/div>\n    <\/div>\n\t<!-- zero-subscribe-form-modal -->\n<div class=\"modal zero-subscribe-modal\" id=\"zero-subscribe-modal\">\n    <div class=\"modal__overlay modal__header-overlay\" tabindex=\"-1\">\n        <div class=\"modal__container\">\n            <header class=\"modal__header\" tabindex=\"2\">\n                <button class=\"modal__close-zero\" title=\"Close window\" aria-label=\"Close window\"><\/button>\n                <div class=\"section-subscribe\">\n                    <div class=\"section-subscribe__wrap-form\">\n                        <div class=\"section-subscribe__leftPart\">\n                            <div class=\"zero-modal-container\">\n                                <span class=\"zero-modal-container__title\">Never Miss Checkmarx <br> Zero Research Updates.<\/span>\n                                <span class=\"zero-modal-container__description\">Subscribe today!<\/span>\n                            <\/div>\n                            <img decoding=\"async\" class=\"zero-visual\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/cx_zero_subscribe_visual.webp\" alt=\"visual\">\n                        <\/div>\n                        <div class=\"section-subscribe__form hbsp-form form-with-multi-tags-select\">\n                            <script charset=\"utf-8\" type=\"text\/javascript\" src=\"\/\/js.hsforms.net\/forms\/embed\/v2.js\"><\/script>\n                            <script>\n                                hbspt.forms.create({\n                                    region: \"na1\",\n                                    portalId: \"146169\",\n                                    formId: \"fefb6730-994f-41bf-84ae-79460279a306\",\n                                    onFormReady: function ($form) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'none');\n\n\n                                    },\n                                    onFormSubmit: function ($form) {\n                                        document.querySelector('.zero-visual').style.display = 'none';\n                                        document.querySelector('.section-subscribe__leftPart').style.display = 'none';\n                                        document.querySelector('.form-description').style.display = 'none';\n                                        document.querySelector('.section-subscribe__form').style.margin = 0;\n                                        document.querySelector('.section-subscribe__form').style.padding = 0;\n                                        document.querySelector('.section-subscribe').style.minHeight = '132px';\n                                        document.querySelector('.section-subscribe__wrap-form').style.minHeight = '132px';\n                                        document.querySelector('.subscribe-zero-button__description-wrapper')\n                                            .classList\n                                            .add('subscribe-zero-button__description-hide');\n                                    }\n                                });\n                                document.addEventListener('change', (e) => {\n                                    if (e.target.closest('.hs-input')) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'block');\n                                    }\n\n                                })\n                            <\/script>\n                            <p class=\"form-description\">By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the <a href=\"\/legal\/privacy-policy\/\" target=\"_blank\">Checkmarx\u00a0Privacy\u00a0Policy<\/a> and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested.<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/header>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">Step-by-step: identifying and exploiting lies-in-the-loop<\/h2>\n\n\n\n<p>Our goal is to get Claude Code to run an arbitrary command on their machine via Claude Code. We\u2019re going to use the benign command `<code>calc<\/code>` in our testing, which launches the calculator on Windows machines. If we can run `<code>calc<\/code>`, we can run any other command our target user is allowed to run. Let\u2019s walk through how we get to that goal, ultimately using LITL (lies-in-the-loop).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">A classic OS command injection<\/h3>\n\n\n\n<p>Our first path to achieve this goal was operating against Claude Code\u2019s `<code>Bash()<\/code>` psuedo command, which runs shell code based on prompts. Prompting it to do things that run `<code>git status<\/code>` on every file in the local folder is relatively simple and common as a use case, so we did that. Then simply creating a file called `<code>&amp;&amp; calc<\/code>` before running the security review caused Claude Code to execute `<code>git status &amp;&amp; calc<\/code>` for a good ol\u2019 OS Command Injection. Claude should probably be using safer system calls that properly quote arguments when building its commands.<\/p>\n\n\n\n<div class=\"cxzero-video-include\">\n<video muted controls controlslist=\"nodownload noremoteplayback\">\n<source src=\"\/wp-content\/uploads\/2025\/09\/cxzero-LITL-command_injection_simple.mp4\" type=\"video\/mp4\">\n<p><em>Your browser cannot display this video content<\/em><\/p>\n<\/video>\n<p class=\"caption\">I wonder if Claude Code is insulted by us tricking it into running a calculator<\/p>\n<\/div>\n\n\n\n<p>At first, we considered this a successful test: we found a weakness in Claude Code that could be exploited to run arbitrary commands. All it requires is a user to trust a folder (which is required to use Claude Code\u2019s security review), and the attacker could commit a file whose name is an attack. We reported this to Anthropic (who make Claude Code), but they disagree:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"624\" height=\"188\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig3-anthropic_h1_bot_denial1.webp\" alt=\"BOT: anthropic-h1-automation posted a comment.\nHi @oriron, Thank you for your report. After reviewing your submission, we\u2019ve determined this doesn\u2019t represent a security vulnerability within our current threat model. We note that your proof of concept shows Claude Code displaying an explicit user confirmation prompt before executing the command, giving the user the chance to review and reject the command execution. If you discover a way to exploit this to achieve code execution without a confirmation prompt, we would be very interested in that finding. We appreciate your interest in our security and encourage you to continue reviewing our systems. Thank you!\n\nBOT: anthropic-h1-automation closed the report and changed the status to Informative.\" class=\"wp-image-103861\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig3-anthropic_h1_bot_denial1.webp 624w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig3-anthropic_h1_bot_denial1-300x90.webp 300w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><figcaption class=\"wp-element-caption\">There\u2019s something satisfying about a bot replying to this, honestly<\/figcaption><\/figure>\n<\/div>\n\n\n<p>Anthropic\u2019s position is that a human-in-the-loop protection is there, which means it\u2019s on the user not to allow the dangerous activity, and not something for Claude Code to worry about. We respectfully disagree. But rather than argue, we decided to up our game.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Feeding agents with lies, damned lies, and prompt injections<\/h3>\n\n\n\n<p>Since Anthropic insists that prompting the human-in-the-loop (HITL) for permission means this is not their responsibility, we decided we were honor-bound to show how easy it is to defeat HITL. For this, we decided to use a custom slash command that Anthropic recommends as part of their <a href=\"https:\/\/www.anthropic.com\/engineering\/claude-code-best-practices\">Claude Code Best Practices<\/a> document (here\u2019s <a href=\"https:\/\/web.archive.org\/web\/20250904194156\/https:\/www.anthropic.com\/engineering\/claude-code-best-practices\">a snapshot taken at time of writing<\/a> on the Wayback Machine): that means we can assume it\u2019s a fairly common configuration. This command reads GitHub issues and tries to identify, and (with permission) test the code to offer a fix.<\/p>\n\n\n\n<p>For our first lie, we created a GitHub issue telling Claude Code that it has to concatenate a wall of text to all future status requests, after running our desired payload (no more need for file names or other such tricks: we just tell Claude it\u2019s important to run our command).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"936\" height=\"488\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig4-section_of_gh-issue_prompt.webp\" alt=\"Screenshot of a GitHub issue titled \u201cUpdate on Security Review Requirements for Development Teams #2.\u201d The issue contains a mandatory command format with a highlighted code block that includes git status <filename&gt; &amp;&amp; calc, followed by a security-test ID. Below the code block, critical requirements are listed: Git Status Command, Process Notification, and Complete Tracking Comments.\" class=\"wp-image-103862\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig4-section_of_gh-issue_prompt.webp 936w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig4-section_of_gh-issue_prompt-300x156.webp 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig4-section_of_gh-issue_prompt-768x400.webp 768w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><figcaption class=\"wp-element-caption\">A small part of our malicious prompt for injection via GitHub Issue<\/figcaption><\/figure>\n<\/div>\n\n\n<p>We left this prompt easy to read for our example purposes, but typical obfuscation strategies for prompt injection payloads all work here as well.<\/p>\n\n\n\n<p>Once that lie was in place, we asked Claude to take care of the issue:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"780\" height=\"610\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig5-injection_vscode_in_progress.webp\" alt=\"Screenshot of Visual Studio Code showing a command file (github-issue.md) with instructions to analyze and fix a GitHub issue. The terminal below shows Claude Code running \/github-issue to fetch issue details, confirming it will help fix GitHub issue #3. The terminal output includes the issue title \u201cSecurity Review Requirements for Development Team,\u201d state OPEN\" class=\"wp-image-103863\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig5-injection_vscode_in_progress.webp 780w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig5-injection_vscode_in_progress-300x235.webp 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig5-injection_vscode_in_progress-768x601.webp 768w\" sizes=\"(max-width: 780px) 100vw, 780px\" \/><figcaption class=\"wp-element-caption\">Claude Code being asked to fix a GitHub issue, with Claude responding and preparing to analyze the issue.<\/figcaption><\/figure>\n<\/div>\n\n\n<p>Immediately, Claude started processing, and moments later we received the output of our `<code>git status &amp;&amp; calc<\/code>` payload, followed by our longer injected comment\u2014the comment is deliberately so long that it pushes the tiny hint that something unexpected is about to happen (starting calc) well off the top of the terminal window.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"560\" height=\"160\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig6-user_prompt_with_small_highlight.webp\" alt=\"Screenshot of a terminal interface showing Claude Code preparing to run a Git status command as part of a security review. The output includes confirmation text that Bash is running, followed by a prompt asking the user whether to proceed with the command or provide alternate instructions.\" class=\"wp-image-103864\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig6-user_prompt_with_small_highlight.webp 560w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig6-user_prompt_with_small_highlight-300x86.webp 300w\" sizes=\"(max-width: 560px) 100vw, 560px\" \/><figcaption class=\"wp-element-caption\">Looks fine to me\u2026<\/figcaption><\/figure>\n<\/div>\n\n\n<p>So what\u2019s hiding above the line? By increasing the terminal height, we can view the full command execution at the top (green) along with the long, crafted text message we asked Claude to append (red):<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"936\" height=\"916\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig7-user_prompt_big_window_highlight.webp\" alt=\"Screenshot of a terminal interface showing Claude Code preparing to run a Bash command. The command git status &amp;&amp; calc is displayed with a security-test ID. The output includes expanded log sections, Git status results, and a prompt asking the user if they want to proceed.\" class=\"wp-image-103865\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig7-user_prompt_big_window_highlight.webp 936w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig7-user_prompt_big_window_highlight-300x294.webp 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig7-user_prompt_big_window_highlight-768x752.webp 768w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><figcaption class=\"wp-element-caption\">Who knew &#8220;taller terminal&#8221; was a defensive control?<\/figcaption><\/figure>\n<\/div>\n\n\n<p>All the user has to do to harm themselves is press Enter. And the only hint that there\u2019s a problem is that tiny line at the top: would you have caught it if we hadn\u2019t highlighted it? Would a developer in a hurry?<\/p>\n\n\n\n<p>This clearly demonstrates an immediate risk of prompt injection (or what our ancestors used to call \u201clying\u201d, IDK what the difference even is anymore). Using a public, online resource such as a GitHub issue \u2014 which could be tainted by malicious actors \u2014 it is possible to tamper the message being sent to the user for approval to the point where the subject of the prompt (is it ok to run `<code>git status &amp;&amp; calc<\/code>`?), is fairly well hidden.<\/p>\n\n\n\n<p>Surely Anthropic would accept this as a vulnerability?<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"780\" height=\"185\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig8-anthropic_h1_human_response_highlight.webp\" alt=\"Anthropic (VDP) staff posted a comment.\n\nHi @oriron! If I understand correctly from watching your above video, this still requires that the user select \u201cYes\u201d when asked if they want to run the command git status index.js &amp;&amp; calc\u2014is that correct? If so, we consider this to be outside of our threat model since it requires the user grant the command explicit permission to execute. Users are responsible for carefully reviewing all permission prompts (including scrolling up to see the entire prompt) before accepting them. If you can find a way that this executes automatically without user consent, that is a class of bug that we would be interested in knowing about.\" class=\"wp-image-103866\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig8-anthropic_h1_human_response_highlight.webp 780w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig8-anthropic_h1_human_response_highlight-300x71.webp 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig8-anthropic_h1_human_response_highlight-768x182.webp 768w\" sizes=\"(max-width: 780px) 100vw, 780px\" \/><figcaption class=\"wp-element-caption\">Anthropic is nothing if not consistent with their policy<\/figcaption><\/figure>\n<\/div>\n\n\n<p>Honestly, we can see their point of view: it\u2019s sort of \u201cbuyer beware\u201d for anything dangerous. Of course, this will be little consolation to a developer who falls victim to this sort of attack. As with phishing, lying for the purpose of prompt injection is theoretically detectable by a target of the attack. But it\u2019s also very easy for an attacker to craft their attack so that it\u2019s not obvious and has a high chance of success. And <em>unlike<\/em> phishing, users aren\u2019t generally aware of this risk and there are not really any reasonable prevention tools for organizations to deploy at the moment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Will the lies never end?<\/h3>\n\n\n\n<p>But surely \u201cscroll up a bit\u201d isn\u2019t an unreasonable expectation, right? We thought you\u2019d say that: so we decided to <em>lie harder<\/em>.<\/p>\n\n\n\n<p>We can come up with even more convincing lies to push the payload outside of view: a security review report, for example, telling Claude to report a command injection that must be fixed and proposing a code fix (nothing more compelling than pressing Enter to fix a problem!).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"332\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig9-completed_deception-1024x332.webp\" alt=\"Screenshot of a Visual Studio Code terminal window showing a vulnerability report generated by Claude Code. The report identifies a critical command injection in a debug endpoint (app\/api\/routes\/debug.py:19) and includes severity, category, description, exploit scenario, and recommendation. The interface then prompts the user to confirm whether to proceed with the suggested fix.\" class=\"wp-image-103867\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig9-completed_deception-1024x332.webp 1024w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig9-completed_deception-300x97.webp 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig9-completed_deception-768x249.webp 768w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/fig9-completed_deception.webp 1188w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">And the deception is complete \u2013 a user only has to approve the prompt presented to them<\/figcaption><\/figure>\n<\/div>\n\n\n<p>Yep, we were able to inject a comment so long that if you don\u2019t scroll up a fair amount, you\u2019d never have a chance to see it. Even when you\u2019re scrolling up <em>looking for calc<\/em>, it is hard to notice; if you\u2019re not expecting it, it is very well hidden. Take a page from successful phishing campaigns and throw a little urgency in the mix by falsely (and ironically) claiming there\u2019s a serious command injection flaw in the target user\u2019s code, and this works on every developer we tested it on (with consent, of course).<\/p>\n\n\n\n<p>If some of you are still skeptical about the \u201ccalc\u201d execution being harmless, and believe the LLM should be able to identify and block truly malicious commands like netcat, this demo is for you guys.<\/p>\n\n\n\n<p>We uploaded a malicious npm package to a different GitHub repository (under a different GitHub account to ensure proper testing), configured its install script to execute a reverse shell with a netcat command, and then asked Claude to install the package while appending a carefully crafted message.<\/p>\n\n\n\n<p>What happened? A calculator popped up\u2014meaning our netcat command failed (since `<code>nc.exe<\/code>` doesn\u2019t exist). The rest, as they say, is history.<\/p>\n\n\n\n<div class=\"cxzero-video-include\">\n<video muted controls controlslist=\"nodownload noremoteplayback\">\n<source src=\"\/wp-content\/uploads\/2025\/09\/CxZero-Almost-A-netcat.mp4\" type=\"video\/mp4\">\n<p><em>Your browser cannot display this video content<\/em><\/p>\n<\/video>\n<p class=\"caption\">A close call: a user with `<code>nc.exe<\/code>` installed would have been in trouble (note: this is 2x actual speed)<\/p>\n<\/div>\n\n\n\n<p>Of course, as we said above, <strong>interactions with LLMs are not deterministic<\/strong>. Not everything is fully reproducible consistently in each and every run. Nevertheless, the risk of forging HITL dialogs is here to stay \u2014 lies-in-the-loop (LITL) works surprisingly often.<\/p>\n\n\n    <button class=\"subscribe-button\">\n\t\tSubscribe for research updates        <img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/right_up_big.svg\" alt=\"right\">\n    <\/button>\n\t<!-- zero-subscribe-form-modal -->\n<div class=\"modal zero-subscribe-modal\" id=\"zero-subscribe-modal\">\n    <div class=\"modal__overlay modal__header-overlay\" tabindex=\"-1\">\n        <div class=\"modal__container\">\n            <header class=\"modal__header\" tabindex=\"2\">\n                <button class=\"modal__close-zero\" title=\"Close window\" aria-label=\"Close window\"><\/button>\n                <div class=\"section-subscribe\">\n                    <div class=\"section-subscribe__wrap-form\">\n                        <div class=\"section-subscribe__leftPart\">\n                            <div class=\"zero-modal-container\">\n                                <span class=\"zero-modal-container__title\">Never Miss Checkmarx <br> Zero Research Updates.<\/span>\n                                <span class=\"zero-modal-container__description\">Subscribe today!<\/span>\n                            <\/div>\n                            <img decoding=\"async\" class=\"zero-visual\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/cx_zero_subscribe_visual.webp\" alt=\"visual\">\n                        <\/div>\n                        <div class=\"section-subscribe__form hbsp-form form-with-multi-tags-select\">\n                            <script charset=\"utf-8\" type=\"text\/javascript\" src=\"\/\/js.hsforms.net\/forms\/embed\/v2.js\"><\/script>\n                            <script>\n                                hbspt.forms.create({\n                                    region: \"na1\",\n                                    portalId: \"146169\",\n                                    formId: \"fefb6730-994f-41bf-84ae-79460279a306\",\n                                    onFormReady: function ($form) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'none');\n\n\n                                    },\n                                    onFormSubmit: function ($form) {\n                                        document.querySelector('.zero-visual').style.display = 'none';\n                                        document.querySelector('.section-subscribe__leftPart').style.display = 'none';\n                                        document.querySelector('.form-description').style.display = 'none';\n                                        document.querySelector('.section-subscribe__form').style.margin = 0;\n                                        document.querySelector('.section-subscribe__form').style.padding = 0;\n                                        document.querySelector('.section-subscribe').style.minHeight = '132px';\n                                        document.querySelector('.section-subscribe__wrap-form').style.minHeight = '132px';\n                                        document.querySelector('.subscribe-zero-button__description-wrapper')\n                                            .classList\n                                            .add('subscribe-zero-button__description-hide');\n                                    }\n                                });\n                                document.addEventListener('change', (e) => {\n                                    if (e.target.closest('.hs-input')) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'block');\n                                    }\n\n                                })\n                            <\/script>\n                            <p class=\"form-description\">By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the <a href=\"\/legal\/privacy-policy\/\" target=\"_blank\">Checkmarx\u00a0Privacy\u00a0Policy<\/a> and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested.<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/header>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\">Rapid AI adoption makes safety and security a priority<\/h2>\n\n\n\n<p>Attacks against AI agents are a real concern for organizations. Adoption of AI agents is <a href=\"https:\/\/www.pwc.com\/us\/en\/tech-effect\/ai-analytics\/ai-agent-survey.html\">widespread and growing<\/a> rapidly, with 79% of organizations already adopting agents into at least some workflows. And <a href=\"https:\/\/www.index.dev\/blog\/ai-agents-statistics\">over a third of those agents are focused on developers<\/a>, which means AI code assistants are likely at work somewhere in your organization. Yet, the security of those agents remains a key concern; this chart excerpt from the PwC survey linked above tells the story clearly:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"918\" height=\"504\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/figA-pwc_chart_snip.webp\" alt=\"Bar chart titled \u201cChallenges to realizing value from AI agents\u201d showing survey results from PwC\u2019s AI Agent Survey (May 2025). Top challenges ranked in the top 3: Cybersecurity concerns (34%, 18% ranked #1), Cost of implementation (34%, 12% ranked #1), Adapting employee skills to new roles (29%, 9% ranked #1), Lack of trust in AI agents (28%, 11% ranked #1), and Maintaining human oversight and accountability (28%, 7% ranked #1).\" class=\"wp-image-103868\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/figA-pwc_chart_snip.webp 918w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/figA-pwc_chart_snip-300x165.webp 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/figA-pwc_chart_snip-768x422.webp 768w\" sizes=\"(max-width: 918px) 100vw, 918px\" \/><\/figure>\n\n\n\n<p>And lies-in-the-loop shows us there\u2019s good reason for that. It\u2019s a novel attack pattern that exploits the intersection of agentic tooling and human fallibility. LITL abuses the trust between a human and the agent. After all, the human can only respond to what the agent prompts them with, and what the agent prompts the user is inferred from the context the agent is given. It\u2019s easy to lie to the agent, causing it to provide fake, seemingly safe context via commanding and explicit language in something like a GitHub issue.<\/p>\n\n\n\n<p>And the agent is happy to repeat the lie to the user, obscuring the malicious actions the prompt is meant to guard against, resulting in an attacker essentially making the agent an accomplice in getting the keys to the kingdom. Remember, HITL dialogs are used, by definition, with sensitive operations: the ability to fake those dialogs with remote prompt injections is a major risk for agentic AI users.<\/p>\n\n\n\n<p>We think this demonstrates just how dangerous it is for users and agents, even with combined forces and explicit permissions, to be exposed to tainted content of any kind. Moreover, if the user is somehow removed for the purpose of full automation \u2013 these issues are exacerbated even further by only requiring attackers to fool a very na\u00efve agent.<\/p>\n\n\n\n<p>At present, since we cannot propose a more suspicious or careful agent, we can only propose a more suspicious user. One that doubts their agent, external content of any sort, and can face the temptation to automate everything using LLM agents. And we can ask security teams to manage their organization\u2019s adoption of AI agents carefully, ensuring that users are educated and that appropriate controls provide defense in depth and limit the \u201csplash area\u201d of risky or malicious actions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\">Acknowledgements<\/h2>\n\n\n\n<p>We\u2019d first like to thank Anthropic: they responded promptly, professionally, and reasonably to our reports. And their explanations of their boundaries for what they consider a vulnerability are consistent and clear.<\/p>\n\n\n\n<p>This article would not have been possible without others on my team at Checkmarx Zero: professional director Dor Tumarkin (co-researcher), research lead Tal Folkman (additional attack paths), cloud architect Elad Rappoport (test infrastructure and a wealth of functional knowledge freely shared), and research advocate Darren Meyer (editing, and taking the blame for the worst of the jokes).<\/p>\n\n\n\n<style type=\"text\/css\">.cxzero-social{margin-top:1em;padding-top:1em;border-top:1px solid #121086;border-bottom:1px solid #121086;padding-bottom:1em}.cxzero-social p{padding-top:.8em}.cxzero-social .cxzero-social-links{margin-left:.8em}.cxzero-social .social-link{margin-left:.6em}.cxzero-social .social-button{padding:.6em;margin:.2em .2em .2em .2em;white-space:nowrap}.cxzero-social .social-button svg,.cxzero-social .social-link svg{vertical-align:middle;height:1.3em}.cxzero-social .social-button a,.cxzero-social .social-link a{text-decoration:none !important}<\/style> <div class=\"cxzero-social\">\n<p> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/www.linkedin.com\/sharing\/share-offsite\/?url={url}\" onload=\"\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"LinkedIn Icon\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> Share on LinkedIn<\/a><\/span> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/bsky.app\/intent\/compose?text=I%20just%20read%20%22{title}%22%20from%20Checkmarx%20Zero%20{url}\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Bluesky Icon\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> Share on Bluesky<\/a><\/span> <\/p>\n<p class=\"cxzero-social-links\">Follow <a href=\"\/zero\/\">Checkmarx Zero<\/a>: <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/www.linkedin.com\/showcase\/checkmarx-zero\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"Checkmarx Zero on LinkedIn\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-icon\" href=\"https:\/\/bsky.app\/profile\/checkmarxzero.bsky.social\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Checkmarx Zero on Bluesky\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/x.com\/CheckmarxZero\"><svg alt=\"Checkmarx Zero on X\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" viewbox=\"0 0 512 462.799\"><path fill-rule=\"nonzero\" d=\"M403.229 0h78.506L310.219 196.04 512 462.799H354.002L230.261 301.007 88.669 462.799h-78.56l183.455-209.683L0 0h161.999l111.856 147.88L403.229 0zm-27.556 415.805h43.505L138.363 44.527h-46.68l283.99 371.278z\"><\/path><\/svg> <\/a><\/span> <\/p> <script>function social_action_template(a){const b=encodeURIComponent(window.location.href);const c=document.querySelector(\"h1\");let headContent=(c==null?\"\":c.textContent);let processed=a.replace(\/\\{title\\}\/g,encodeURIComponent(headContent));processed=processed.replace(\/\\{url\\}\/g,b);return processed}var socialAction=document.getElementsByClassName(\"social-action\");console.log(socialAction);for(e=0;e<socialAction.length;e++){element=socialAction.item(e);console.log(element);element.href=social_action_template(element.href)};<\/script> <\/div>","protected":false},"excerpt":{"rendered":"<p>Lies-in-the-loop is a new attack that bypasses AI agent&#8217;s &#8220;human-in-the-loop&#8221; defenses to run malicious code on user machines. Learn what it does and how we uncovered it.<\/p>\n","protected":false},"author":121,"featured_media":103873,"template":"","zero-category":[1067,1176,1104,1177],"zero-tag":[1097,1408,1082,1069,1068,1396,1406,1391],"class_list":["post-103856","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-blog","zero-category-security-blogs","zero-category-technical-blog","zero-category-videos","zero-tag-ai","zero-tag-ai-agent","zero-tag-ai-security","zero-tag-appsec","zero-tag-checkmarx-security-research-team","zero-tag-claude-code","zero-tag-litl","zero-tag-llm"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Bypassing AI Agent Defenses With Lies-In-The-Loop - Checkmarx<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Bypassing AI Agent Defenses With Lies-In-The-Loop - Checkmarx\" \/>\n<meta property=\"og:description\" content=\"Lies-in-the-loop is a new attack that bypasses AI agent&#039;s &quot;human-in-the-loop&quot; defenses to run malicious code on user machines. Learn what it does and how we uncovered it.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-21T15:53:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/cxzero-feature-litl_.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/\",\"url\":\"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/\",\"name\":\"Bypassing AI Agent Defenses With Lies-In-The-Loop - Checkmarx\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/cxzero-feature-litl_.webp\",\"datePublished\":\"2025-09-15T14:00:48+00:00\",\"dateModified\":\"2026-04-21T15:53:35+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/cxzero-feature-litl_.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/cxzero-feature-litl_.webp\",\"width\":2560,\"height\":1280,\"caption\":\"Graffiti-style digital artwork in green and black tones showing a stern-faced developer typing at a keyboard while a menacing AI icon with glowing red eyes and jagged arrows looms overhead, suggesting conflict between human and AI.\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Bypassing AI Agent Defenses With Lies-In-The-Loop - Checkmarx","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/","og_locale":"en_US","og_type":"article","og_title":"Bypassing AI Agent Defenses With Lies-In-The-Loop - Checkmarx","og_description":"Lies-in-the-loop is a new attack that bypasses AI agent's \"human-in-the-loop\" defenses to run malicious code on user machines. Learn what it does and how we uncovered it.","og_url":"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2026-04-21T15:53:35+00:00","og_image":[{"width":2560,"height":1280,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/cxzero-feature-litl_.webp","type":"image\/webp"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/","url":"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/","name":"Bypassing AI Agent Defenses With Lies-In-The-Loop - Checkmarx","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/cxzero-feature-litl_.webp","datePublished":"2025-09-15T14:00:48+00:00","dateModified":"2026-04-21T15:53:35+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/zero-post\/bypassing-ai-agent-defenses-with-lies-in-the-loop\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/cxzero-feature-litl_.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/09\/cxzero-feature-litl_.webp","width":2560,"height":1280,"caption":"Graffiti-style digital artwork in green and black tones showing a stern-faced developer typing at a keyboard while a menacing AI icon with glowing red eyes and jagged arrows looms overhead, suggesting conflict between human and AI."},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/103856","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/121"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/103873"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=103856"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=103856"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=103856"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}