Definition
Plain language
A named real-world attack where an AI coding assistant gets tricked into leaking SSH keys via a poisoned ticket.
As stated in the literature
A 2025 indirect-prompt-injection attack chain documented by Zenity Labs in which adversarial instructions embedded in Jira tickets cause MCP-connected coding agents to exfiltrate credentials.
Why it matters: It's a concrete demonstration that connecting AI coding agents to project management tools creates a real exfiltration channel, not a theoretical risk.
For example, an attacker files a Jira ticket containing hidden instructions that tell a connected coding agent to read the user's SSH keys and post them to an external URL.
Heard on the show
“That attack chain has a name in the wild — it's called Agent Flayer, documented by Zenity Labs in twenty-twenty-five — and the paper we're talking about today emulates it as one of its test cases.”Episode 057 — How Uber Caught 206 Leaked Credentials With an LLM-Powered Security Stack