Agentic ProbLLMs: Exploiting AI Computer-Use And Coding Agents.

During August 2025, the Month of AI Bugs project documented over two dozen previously unknown security vulnerabilities in agentic AI coding assistants across multiple vendors.

This paper presents the testing approach, synthesizes the most severe findings, and identifies recurring vulnerability patterns across these systems, which are formalized in this work as the “AI Kill Chain”.

The identified vulnerabilities included zero-click data exfiltration, arbitrary remote code execution, and long-term memory persistence in some of the evaluated agents, all exploitable via indirect prompt injection.

Beyond individual bugs, this work highlights systemic design failures, including over-reliance on LLM output as a security control, insufficient sandboxing and isolation, and entirely lacking human-in-the-loop safeguards. Vendor responses varied, ranging from rapid fixes with CVE assignments to delayed or absent remediation.

Finally, the research is contextualized and observes that current practices increasingly normalize insecure AI system design while at the same time shifting responsibility to end users. This trajectory risks a normalization of deviance in agentic AI systems.

This research was presented at the following conference proceedings:

• HITCON Taiwan, August 2025
• Out of The Box, Bangkok August 2025
• HackAICon, Portugal, September 2025
• Agentic AI Security Summit, San Francisco, October 2025
• BSides Vancouver Island, October 2025
• 39C3 Power Cycles: Chaos Communication Congress, December 2025 (Final Version)