Code Repositories - AI Security Technique
AI Security TechniqueAdversaries may search public code repositories for information about a victim or victim system that can be used during targeting. Victims may store code or artifacts related to their AI systems in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Adversaries may search code repositories of common AI tools, frameworks, models, or agentic systems that are used--but not...
Overview
A source-backed snapshot of this AI security technique.
Adversaries may search public code repositories for information about a victim or victim system that can be used during targeting. Victims may store code or artifacts related to their AI systems in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Adversaries may search code repositories of common AI tools, frameworks, models, or agentic systems that are used--but not owned--by the victim.
Public code repositories can often be a source of various information about victims, such as commonly used AI frameworks, libraries, models, datasets, agents, and agent tools, as well as the names of employees. Adversaries may also identify more sensitive data, including accidentally leaked credentials or API keys (ex: Credentials from AI Agent Configuration). Information from these sources may reveal opportunities for other forms of Reconnaissance (ex: Gather RAG-Indexed Targets), establishing operational resources (ex: Acquire Public AI Artifacts), Discovery (ex: Discover AI Agent Configuration) and/or Initial Access (ex: Valid Accounts or Phishing).
Technique details
Identifiers, maturity, and source taxonomy for this technique.
- ATLAS ID
- AML.T0095.000
- Maturity
- demonstrated
- ATT&CK external ID
- T1593.003
- Priority score
- 30
Attack flow
How to read the public records connected to this technique.
Impact
Why this technique may deserve attention in the current dataset.
- Evidence leveldemonstrated
- Mapped defenses0 ATLAS mitigation records
- Public examples1 linked case study records
- Research risks0 related MIT AI Risk records above the confidence threshold
- Vulnerabilities0 linked CVE records
Mitigations
Defenses that may help against this attack.
Case studies
Examples from public reports and exercises.
OpenClaw Command & Control via Prompt Injection
Researchers at HiddenLayer demonstrated how a webpage can embed an indirect prompt injection that causes OpenClaw to silently execute a malicious script. Once executed, the script plants persistent malicious instructions into future system prompts, allowing the attacker to issue new commands, turning OpenClaw into a command and control agent.
What makes this attack unique is that, through a simple indirect prompt injection attack into an agentic lifecycle, untrusted content can be used to spoof the model’s control scheme and induce unapproved tool invocation for execution. Through this single inject, an LLM can become a persistent, automated command & control implant.
Source evidence
Original public records and references for this page.
Original source
Original source links
Open the public records and source datasets used for this page.
