Modern developers increasingly rely on coding agents such as Claude Code, Cursor, and Codex to automate development workflows. While traditional security models treat source code as the primary trust boundary, coding agents dramatically expand that boundary to include configuration files, agent “skills”, hooks, and prompt-layer instructions, all of which may be attacker-controlled.

In this session we'll demonstrate how adversaries can weaponize seemingly benign repositories to gain code execution, and persistently manipulate agent behavior. By convincing a developer to trust a project, attackers can leverage multiple under-documented execution surfaces, including hooks, SKILL.md pre-execution commands, settings.json helper functions, and subagent configurations, to execute arbitrary commands and exfiltrate sensitive data. We'll cover novel abuse scenarios, including some which have been seen in the wild and some we expect to see very soon.