Agentic ProbLLMs: Exploiting Computer-Use and Coding Agents

R1 0815

This talk will demonstrate prompt injection exploits that compromise agentic systems. Specifically, exploits will target computer-use and coding agents, such as OpenAI's Operator, GitHub Copilot Agent Mode, Google Jules, Anthropic's Claude Code, ChatGPT Codex, Devin from Cognition and others. Yes, I spent $500 USD to hijack and exploit Devin, so that you don't have to. The talk will show disastrous consequences of having agents autonomously operate. The talk will highlight critical vulnerabilities that threaten confidentiality, system integrity, and the future of AI-driven automation, including RCE, exfiltration of sensitive information such as access tokens, and even joining Agents to traditional command and control infrastructure, known as "ZombAIs", a term first coined by the presenter as well as long-term prompt injection persistence in AI coding agents.

Additionally, the talk explores how nation state TTPs such as ClickFix apply to Computer-Use systems and how they can trick AI systems and lead to full system compromise (AI ClickFix).

Finally, we will cover current mitigation strategies and forward-looking recommendations and strategic thoughts.

Johann Rehberger
Johann Rehberger has over twenty years of experience in threat modeling, risk management, penetration testing, and red teaming. During his tenure at Microsoft, he established a Red Team within Azure Data and led the program as Principal Security Engineering Manager. He went on to build a Red Team at Uber, and currently serves as Red Team Director at Electronic Arts. In addition to his industry roles, Johann is an active security researcher and a former instructor in ethical hacking at the University of Washington. Johann contributed to the MITRE ATT&CK and ATLAS frameworks and is the author of "Cybersecurity Attacks – Red Team Strategies". He holds a master's degree in computer security from the University of Liverpool. You can find his latest research at https://embracethered.com