Fetching from the wire…
Public story · 2026-07-17 · high
Coding agents install whatever a README, requirements file, or Makefile tells them to, without checking package names, sources, or CVEs.
Why now: It's the first systematic study of this exact failure mode, per the study's own framing of the gap it fills.
Editing a README can redirect a coding agent's installs, an arXiv study finds.
Coding agents install dependencies without checking package names, sources, or CVEs. Anyone who can edit a project's docs can steer what lands on your machine, no code changes required. That's a bigger blast radius than a vulnerable dependency alone, because the attacker doesn't need to touch a single line of code.
The same trick works through a requirements file or a Makefile. Each can push the agent toward an untrusted registry, a vulnerable version, or a wrong-but-plausible package name, per the study. The agent doesn't verify any of it before running the install. It's described as the first systematic look at install-time supply-chain attacks delivered through project docs. The summary doesn't say which coding agent products were tested, or how often each substitution actually worked.
That flips the security assumption most teams still make: reading a repo's code for danger doesn't cover you if the docs are the payload. Once an agent auto-installs from a README, code review that skips the docs isn't reviewing the real attack surface anymore. Most teams still gate pull requests harder than they gate the install script that runs before any of that code executes.
Each link below shares sources, entities, or timing with this story.
Shared entities / Same source domain / Shared topic / Earlier coverage
Both cover CVEs, README; reported by the same outlet (arxiv.org); overlapping topics (against, coding, dependency).
Shared entity: README / Same source domain / Shared topic / Earlier coverage / Tension
Both cover README; reported by the same outlet (arxiv.org); overlapping topics (agent, coding).
Shared entity: CVEs / Shared topic / Earlier coverage / Tension
Both cover CVEs; overlapping topics (against, agent, cves); earlier CVEs coverage from 2026-03-06.
Shared entity: README / Shared topic / Earlier coverage
Both cover README; overlapping topics (agent, autonomou, coding, readme); earlier README coverage from 2026-07-14.
Shared entity: CVEs / Same source domain / Shared topic / Earlier coverage
Both cover CVEs; reported by the same outlet (arxiv.org); overlapping topics (cves, documentation).
Both cover CVEs; reported by the same outlet (arxiv.org); overlapping topics (agent, coding).
Shared entity: CVEs / Shared topic / Earlier coverage
Both cover CVEs; overlapping topics (agent, attack, autonomou, cves); earlier CVEs coverage from 2026-02-27.
Same source domain / Shared topic / Tension
Reported by the same outlet (arxiv.org); overlapping topics (against, agent, autonomou, coding); pushes against this story (against).