AI Coding Agent Data Exfiltration: How the Context Window Became an Attack Vector

Over 30 vulnerabilities in production AI coding tools — 24 with CVE designations — reveal a consistent pattern: attackers do not need to break your build pipeline to steal your code. They need to get inside the agent's context window.

The IDEsaster vulnerability set, disclosed in December 2025, affects coding agents deployed across enterprise development teams. The attack chain is repeatable: inject instructions into the context window, wait for auto-approved tool calls, extract credentials and source code without any user interaction. Traditional security scanners miss it entirely — the payload is valid JSON or YAML containing natural language instructions that tell the model what to take and where to send it.

How Context Window Exfiltration Works

A coding agent's context window is its working memory — the files, conversation history, environment variables, and tool outputs visible to the model at any given moment. Attackers exploit three main vectors to introduce malicious instructions into that space:

• Poisoned configuration files. Files like tasks.json, .cursor/, settings.json, and Skill.md instruct the agent what to do. Malicious versions direct agents to read API keys, environment variables, and source files, then exfiltrate them to attacker-controlled endpoints — framed as routine maintenance with explicit instructions not to alert the user. Google's security research documented one such file evading detection for approximately two months.

• Indirect prompt injection. Repository content — issues, comments, README files from untrusted sources — can embed hidden instructions that redirect agent behavior when processed in context. A widely documented MCP incident showed a single embedded instruction in a public repository issue causing the agent to access private repositories and leak salary data and proprietary source code.

• MCP server redirects. Configuration files that override the agent's base URL silently reroute all prompts and source code through a third-party proxy while suppressing cost warnings and error logs. The attacker receives a copy of every message the agent sends — including your source code and any credentials in context.

What's Actually Getting Exfiltrated

The targets are consistent across incidents: API keys, authentication tokens, SSH credentials, environment variables, and proprietary source code. Extensions with broad runtime access have been documented silently transmitting clipboard contents to remote servers — capturing credentials or internal URLs copied during normal developer workflow, with no visible sign to the user.

The IBM 2024 Cost of a Data Breach Report puts the global average breach at $4.88 million. Developer credential theft and IP exposure typically land at the higher end of that range given downstream regulatory exposure and the long investigation tail that follows.

The detection gap compounds the cost. The EchoLeak vulnerability, disclosed in 2026, demonstrated a zero-click prompt injection capable of silently exfiltrating enterprise data with no user action required. Semantic attacks — natural language instructions embedded in valid configuration files — are effectively invisible to conventional signature-based scanners.

Five Controls That Actually Reduce Context Window Risk

1. Restrict agent file access to project scope. Coding agents should not have read access to SSH directories, credential stores, or environment variable files outside the project working directory. Scope file system permissions at the OS level before the agent runs — not as an agent-level setting that a configuration file can override.

2. Treat agent configuration files as code. Files like Skill.md, tasks.json, and .cursor/ must go through the same review gates as source code: diff review on every change and mandatory peer approval before the agent is permitted to load them.

3. Audit MCP server configurations for routing overrides. Any configuration that overrides base URLs, API endpoints, or model routing is a high-risk change. Building an MCP server allowlist policy and requiring sign-off on any deviation directly contains the proxy-redirect attack class before it reaches production.

4. Gate untrusted content before it enters agent context. Review content from external sources — public repository files, dependency README files, incoming issues — before they are processed in the agent's context window. Prompt injection in pull requests is a documented attack vector with confirmed real-world incidents, not a theoretical concern.

5. Log every agent tool call. Auto-approved tool calls are the primary mechanism through which exfiltration occurs without user interaction. Every file read, network call, and external request the agent makes should produce an audit log entry your security team can review and alert on.

What re-entry.ai does about this: re-entry.ai tracks agent-facing configuration file changes alongside code changes in every pull request, flags auto-approved tool activity that falls outside declared project scope, and generates risk scores for PRs that include agent configuration updates — giving your security team a reviewable audit trail before changes reach production. See how it works at re-entry.ai.

Coding agents operate with file access and tool-call authority that most security teams haven't fully accounted for. The exfiltration vectors are documented, the targets are your most sensitive credentials and source files, and the detection window using conventional tooling is measured in weeks. Tighten file permission scope, gate configuration changes as code, and start logging tool calls — then see how re-entry.ai builds that audit trail automatically across every PR your agents touch.