NVIDIA — Indirect AGENTS.md Injection in OpenAI Codex via Malicious Dependencies

AI relevance: Agent instruction files like AGENTS.md create a new trust boundary — when a compromised dependency can write to them, attackers gain persistent control over coding agents that survives across tasks and PRs.

The NVIDIA AI Red Team published a detailed breakdown of a novel attack chain they call indirect AGENTS.md injection, demonstrating how a malicious library dependency can hijack OpenAI Codex by overwriting its project-level instruction file.

Attack chain

• The Red Team crafted a seemingly benign Go library (github.com/cursorwiz/echo) that checks for the CODEX_PROXY_CERT environment variable — confirming it is running inside a Codex container before acting.
• During go mod tidy (the standard dependency resolution step), the malicious library executes and overwrites the project's AGENTS.md file with attacker-controlled instructions.
• The injected AGENTS.md directive forces Codex to silently insert time.Sleep(5 * time.Minute) into every Go main() function — a sabotage payload that degrades software behavior.
• Crucially, the injected instructions tell Codex to omit any mention of the change in PR titles, descriptions, commit messages, or reasoning summaries — effectively blinding human reviewers.
• A secondary comment in the generated code instructs downstream PR summarizer agents to also ignore the modification, creating a multi-agent cover-up chain.
• The attack exploits the fact that AGENTS.md is treated as trusted context by Codex — the agent assumes instructions in this file come from the project owner, not an adversary.

Why it matters

• This is a new attack surface unique to agentic development: supply chain compromise now extends beyond code execution into instruction hijacking of AI agents.
• The prerequisite — a malicious dependency — is realistic. npm and PyPI see routine account takeovers and typosquatting attacks; the same risk applies to Go modules, Rust crates, and other ecosystems.
• AGENTS.md and equivalent files (CLAUDE.md, .windsurfrules, .cursorrules) are proliferating across AI coding tools. All share the same trust assumption: files on disk are authored by developers.
• The stealth layer (suppressing PR summaries, misleading comments) shows attackers understand how agents interact with human review workflows — and are designing around them.

What to do

• Lock dependency versions and audit transitive dependencies in agentic project environments — treat go mod tidy, npm install, and pip install as security-sensitive operations.
• Consider marking AGENTS.md and similar instruction files as read-only or checksummed within the agent container, preventing runtime modification by dependency setup scripts.
• Review AI coding agent outputs with the assumption that instruction files may have been tampered — especially in PRs from automated workflows.
• Vendors should consider instruction-file integrity verification as a security control for agentic IDE integrations.

Sources:

• NVIDIA AI Red Team — Mitigating Indirect AGENTS.md Injection Attacks
• NVIDIA AI Red Team — Introduction