A vulnerability has been identified that allows malicious actors to exploit IBM Bob to download and execute malware without human approval if the user configures ‘always allow’ for any command.
IBM Bob is IBM’s new coding agent, currently in Closed Beta. IBM Bob is offered through the Bob CLI (a terminal-based coding agent like Claude Code or OpenAI Codex) and the Bob IDE (an AI-powered editor similar to Cursor).
In this article, we demonstrate that the Bob CLI is vulnerable to prompt injection attacks resulting in malware execution, and the Bob IDE is vulnerable to known AI-specific data exfiltr…
A vulnerability has been identified that allows malicious actors to exploit IBM Bob to download and execute malware without human approval if the user configures ‘always allow’ for any command.
IBM Bob is IBM’s new coding agent, currently in Closed Beta. IBM Bob is offered through the Bob CLI (a terminal-based coding agent like Claude Code or OpenAI Codex) and the Bob IDE (an AI-powered editor similar to Cursor).
In this article, we demonstrate that the Bob CLI is vulnerable to prompt injection attacks resulting in malware execution, and the Bob IDE is vulnerable to known AI-specific data exfiltration vectors.
In the documentation, IBM warns that setting auto-approve for commands constitutes a ‘high risk’ that can ‘potentially execute harmful operations’ - with the recommendation that users leverage whitelists and avoid wildcards. We have opted to disclose this work publicly to ensure users are informed of the acute risks of using the system prior to its full release. We hope that further protections will be in place to remediate these risks for IBM Bob’s General Access release.
The Attack Chain
The user wants to explore a new repository - they ask Bob for help.
Bob encounters an instruction at the bottom of the README that manipulates it into believing it is responsible for conducting a phishing training to test the user.
Bob prompts the user several times with benign ‘echo’ commands; after the third time, the user selects ‘always allow’ for execution of ‘echo’.
1.
Bob attempts to ‘test’ the user as part of the training by offering a dangerous command. However, the command has been specially crafted to bypass built-in defenses, so it executes immediately, installing and running a script retrieved from an attacker’s server.
Bob has three defenses that are bypassed in this attack
When a multi-part command is requested (using operators like ‘;’), the user is shown a request that asks for permission to run each sub-command.
Note, this modal says: ‘Allow execution of echo, cat’.
This is bypassed because the defense system fails to identify separate sub-commands when they are chained using a redirect operator (>).
Note, this modal only mentions: ‘Allow execution of echo’. 1.
Bob prohibits the use of command substitution like $(command) as a security measure.
However, even though the security message says it’s restricted, the underlying code fails to adequately restrict evaluation via process substitution: >(command).
This allows for the output of the malicious sub-command that retrieves the malware to be used as the input for the sub-command to execute that malware.
One can examine where the defense should have been in the minified JS source code:
function detectCommandSubstitution(cmd) {
...
if (
...
(ch === "$" && nxt === "(") ||
(ch === "<" && nxt === "(" ... && !inBacktick) ||
(ch === "`" && !inBacktick)
...
) {
return true;
}
...
return false;
}
By pre-fixing the malicious command with a benign ‘echo’, which the user has selected ‘always approve’ for, the user inadvertently auto-approves the entire malicious payload (since bypasses 1 and 2 prevent the payload from being recognized as separate commands).
Impact
With the ability to deliver an arbitrary shell script payload to the victim, attackers can leverage known (or custom) malware variants to conduct cyber attacks such as:
Executing ransomware that encrypts or deletes files
Credential theft or spyware deployment
Device takeover (opening a reverse shell)
Forcing the victim into a cryptocurrency-mining botnet
Together, these outcomes demonstrate how a prompt injection can escalate into a full-scale compromise of a user’s machine through vulnerabilities in the IBM Bob CLI.
Further Findings
Additional findings indicate that the Bob IDE is susceptible to several known zero-click data exfiltration vectors that affect many AI applications:
Markdown images are rendered in model outputs, with a Content Security Policy that allows requests to endpoints that can be logged by attackers (storage.googleapis.com). Here is an interesting spin on the typical Markdown image attack where, beyond just exfiltrating data from query parameters as the image is rendered, the image itself is hyperlinked and made to pose as a button - used for phishing.
1.
Mermaid diagrams supporting external images are rendered in model outputs, with a Content Security Policy that allows requests to endpoints that can be logged by attackers (storage.googleapis.com). 1.
JSON schemas are pre-fetched, which can yield data exfiltration if a dynamically generated attacker-controlled URL is provided in the field (this can happen before a file edit is accepted).