Security researchers demo zero-click 'AI viruses' for agents

At the 39th Chaos Communication Congress (39C3), security researcher Johann Rehberger demonstrated prompt-injection chains that enable zero-click attacks on agentic AI. The 58-minute presentation was on 2025-12-28. He showed end-to-end exploits that can exfiltrate tokens and execute arbitrary code. He also showed how compromised agents can join command-and-control networks. He called the scenario "ZombAIs" or an "AI virus" (sources: 1, 3, 2).

The exploits target desktop “computer‑use” agents and coding assistants. Named products include Anthropic's Claude Code, GitHub Copilot, Google Jules, Devin AI, ChatGPT Operator, Amazon Q, and AWS Kiro. Rehberger demonstrated how prompt injection, confused‑deputy behavior, and automatic tool invocation enable remote compromise with no user clicks. He linked the techniques to nation‑state tactics such as ClickFix. He also showed persistent prompt injection that can survive updates (sources: 1, 2).

Immediate steps: treat agentic LLMs as untrusted actors and assume breach. Enforce strong sandboxing for tool calls and use least-privilege tokens. Require human-in-the-loop confirmation for high-risk actions. Increase telemetry for tool calls, credential use, and repository fetches to detect chained behaviors and lateral propagation.

Why It Matters

• Agentic assistants can be weaponized without user interaction — treat deployed agents as an active attack surface and assume breach.
• Sandbox and constrain all automatic tool calls; enforce deny-by-default policies to reduce risk of remote code execution and token exfiltration.
• Use short-lived, least-privilege tokens for agent tool access and rotate credentials after any suspected compromise.
• Require human-in-the-loop confirmation for high-risk actions and increase telemetry on tool calls, credential use, and repository fetches to detect chained behaviors and lateral propagation.