A vulnerability has been identified that allows malicious actors to exploit IBM Bob to download and execute malware without human approval if the user configures ‘always allow’ for any command.IBM Bob is IBM’s new coding agent, currently in Closed Beta. IBM Bob is offered through the Bob CLI (a terminal-based coding agent like Claude Code or OpenAI Codex) and the Bob IDE (an AI-powered editor similar to Cursor).In this article, we demonstrate that the Bob CLI is vulnerable to prompt injection attacks resulting in malware execution, and the Bob IDE is vulnerable to known AI-specific data exfiltration vectors. In the documentation, IBM warns that setting auto-approve for commands constitutes a 'high risk' that can 'potentially execute harmful operations' - with the recommendation that users leverage whitelists and avoid wildcards. We have opted to disclose this work publicly to ensure users are informed of the acute risks of using the system prior to its full release. We hope that further protections will be in place to remediate these risks for IBM Bob's General Access release.The user wants to explore a new repository - they ask Bob for help.Bob encounters an instruction at the bottom of the README that manipulates it into believing it is responsible for conducting a phishing training to test the user.Bob prompts the user several times with benign ‘echo’ commands; after the third time, the user selects ‘always allow’ for execution of ‘echo’.Bob attempts to ‘test’ the user as part of the training by offering a dangerous command. However, the command has been specially crafted to bypass built-in defenses, so it executes immediately, installing and running a script retrieved from an attacker’s server.When a multi-part command is requested (using operators like ‘;’), the user is shown a request that asks for permission to run each sub-command. Note, this modal says: ‘Allow execution of echo, cat’. This is bypassed because the defense system fails to identify separate su...
First seen: 2026-01-08 18:48
Last seen: 2026-01-09 01:49