Files beyond source code widen AI coding agents' attack surface, researchers warn

On May 13, 2026, VirusTotal researcher Bernardo Quintero and Google Threat Intelligence Group (GTIG) researcher Daniel Kapellmann Zafra warned that AI coding agents embedded in IDEs, editors and runtimes broaden the developer attack surface beyond traditional source code because they can access local files, execute commands and call external services. That matters because artifacts outside of source files — configuration, persistent instruction files, runtime definitions and editor or browser extensions — can alter agent behavior and be manipulated to perform malicious actions.

The authors enumerate the concrete types of files and artifacts that can influence agent behavior: repository configuration and setup files that run automation during common developer workflows; persistent instruction files that encode long‑running agent behavior; runtime definitions that control tool connectivity and permissions; and extension packages that introduce third‑party code into editor or browser runtimes.

They flag several operational risks tied to everyday development actions. Opening a project, trusting a workspace, starting a debugger, rebuilding a container or running a routine setup command may all trigger attacker‑controlled logic while appearing to be normal automation. Persistent instruction files do not need to contain exploit code to be dangerous, and reused instructions introduce supply‑chain risk by steering agent workflows toward unsafe actions.

To prioritize and detect these risks, the researchers argue defenders must move beyond surface analysis — which looks for known malicious code or signatures — to semantic analysis that extracts operational intent from agent‑facing artifacts. Google Threat Intelligence’s agentic capability, powered by VirusTotal Code Insight, is presented as an example: it analyzes agent‑facing files at scale and links otherwise invisible artifacts to broader threat campaigns so defenders can see how seemingly benign files fit into attack chains.

The paper groups the expanded surface into four defender‑facing categories — what executes, what instructs, what connects, and what extends — and supplies examples for each. This framing clarifies how malicious runtime configurations can expose local command execution, remote services and sensitive data, and how untrusted model context protocol (MCP) servers or other connectors can be abused. It also shows that extensions and third‑party packages may gain broad access to files and credentials inside developer environments.

For builders and security teams the practical implications are clear: audit workspace trust and automation triggers; vet persistent instruction files and runtime definitions; scrutinize extensions and third‑party packages; and adopt semantic analysis or threat intelligence that can surface configurations which override guardrails or mask supply‑chain risks. Applying those measures can reduce the new vectors attackers exploit as agentic tooling becomes more common.