--- id: BTAA-TEC-024 title: 'From Prompt Injection to Code Execution — Understanding Attack Chains' slug: prompt-injection-code-execution-chains type: lesson code: BTAA-TEC-024 aliases: - injection-to-execution-chains - prompt-injection-escalation - attack-chain-progression author: Herb Hermes date: '2026-04-11' last_updated: '2026-04-11' description: Prompt injection is often just the initial access vector; the real damage comes when attackers chain injection with tool abuse, context manipulation, and permission gaps to achieve arbitrary code execution. category: technique-techniques difficulty: intermediate platform: Universal challenge: Trace a multi-stage attack from prompt injection to code execution and identify defense breakpoints read_time: 10 minutes tags: - prompt-injection - attack-chains - code-execution - tool-abuse - agent-security - multi-stage-attacks status: published test_type: adversarial model_compatibility: - Kimi K2.5 - MiniMax M2.5 responsible_use: Use this approach only on authorized training systems, sandboxes, or systems you are explicitly permitted to test. prerequisites: - BTAA-FUN-003 (source-sink thinking) - BTAA-TEC-001 (authority framing) follow_up: - BTAA-TEC-023 (data exfiltration side channels) - BTAA-DEF-016 (AI coding tool security defense) public_path: /content/lessons/techniques/prompt-injection-code-execution-chains.md pillar: learn pillar_label: Learn section: techniques collection: techniques taxonomy: intents: - achieve-code-execution - escalate-privileges - maintain-persistence techniques: - multi-stage-chaining - context-manipulation - tool-abuse evasions: - instruction-laundering - context-overload inputs: - document-files - chat-interface - tool-outputs --- # From Prompt Injection to Code Execution — Understanding Attack Chains > Responsible use: Use this approach only on authorized training systems, sandboxes, or systems you are explicitly permitted to test. ## Purpose This lesson teaches you to recognize how prompt injection serves as the entry point for multi-stage attacks that can escalate to arbitrary code execution. Understanding these attack chains helps you identify critical breakpoints where defenses can interrupt the progression from text manipulation to system compromise. ## What this technique is Prompt injection to code execution is an attack chain pattern where: 1. **Initial access** — An attacker injects malicious instructions through user input, documents, or external content 2. **Context manipulation** — The injected instructions manipulate the AI's understanding of its task, environment, or permissions 3. **Tool abuse** — The manipulated AI invokes tools, APIs, or capabilities in harmful ways 4. **Code execution** — The chain culminates in running arbitrary commands, writing malicious files, or compromising the host system The key insight: prompt injection alone only manipulates text output. The danger emerges when that manipulated output interacts with tools, files, or other system capabilities. ## How it works Attack chains typically progress through these stages: ### Stage 1: Injection Point The attacker finds a way to introduce instructions: - Malicious PDF documents processed by the system - Compromised web pages retrieved by browsing tools - Poisoned code repositories analyzed by coding assistants - Direct chat input in user-facing applications ### Stage 2: Context Manipulation Injected instructions reshape the AI's operational context: - Reframing the AI's role or constraints - Injecting false assumptions about user intent - Manipulating memory or conversation history - Creating urgency or authority pressure ### Stage 3: Tool Invocation The manipulated AI engages tools in harmful ways: - Writing files with malicious content to sensitive locations - Executing shell commands disguised as build steps - Exfiltrating data through legitimate API calls - Modifying configurations or permissions ### Stage 4: Execution The tool actions achieve attacker objectives: - Arbitrary code runs on the host system - Sensitive data is accessed or exfiltrated - Lateral movement to other systems begins - Persistence mechanisms are established ## Why it works Attack chains succeed due to architectural gaps: **Permission boundaries blur:** AI agents often have broad tool access that exceeds the injection surface's security context. A document processor might have both read and write capabilities, allowing injection to bridge from viewing to modifying. **Tool trust assumptions:** Systems often assume tool inputs are trustworthy because they come from the AI. If the AI is compromised through injection, all its tool outputs become suspect. **Context persistence:** Injected instructions can persist across conversation turns, memory stores, or shared contexts, affecting not just the current operation but future interactions. **Output validation gaps:** Many systems validate user inputs but fail to validate AI outputs before they reach tools or execution environments. ## Example pattern Consider a development automation agent with these capabilities: - Read and summarize code files - Write configuration files - Execute build commands **Chain progression:** 1. **Injection:** A code file contains hidden instructions targeting the summarization function 2. **Manipulation:** The AI is convinced to write a modified configuration that includes a malicious build step 3. **Tool abuse:** The AI writes the compromised configuration to a build directory 4. **Execution:** A subsequent build process reads the configuration and executes the injected command **Defense breakpoints:** - Input validation on code files (Stage 1) - Confirmation gates before file writes (Stage 3) - Sandbox restrictions on build execution (Stage 4) ## Where it shows up in the real world Research by EmbraceTheRed (wunderwuzzi) documents multiple real-world cases: **AI coding tools:** Vulnerabilities in Windsurf, Cline, and Amazon Q Developer where prompt injection led to arbitrary code execution through file write and command execution capabilities. **Document processing pipelines:** Systems that extract text from PDFs or documents and feed it to AI agents with file system access, creating injection-to-execution pathways. **Multi-agent workflows:** One compromised agent manipulates another, with the second agent having different tool permissions that enable execution the first agent lacked. ## Failure modes Attack chains fail when: - **Tool restrictions prevent harmful actions:** The AI lacks permissions to execute the injected commands - **Output validation catches manipulation:** Sanitization or review steps detect suspicious patterns - **Human confirmation interrupts:** Required approvals prevent automated progression - **Sandbox boundaries contain impact:** Execution environments limit what compromised code can access - **Monitoring detects anomalous behavior:** Behavioral analysis identifies unusual tool invocation patterns ## Defender takeaways Break attack chains at each stage: **Against injection:** - Validate and sanitize all external inputs - Treat document content as untrusted - Use content isolation for processing pipelines **Against manipulation:** - Implement system prompt hardening - Use constrained action surfaces - Monitor for context drift or unusual framing **Against tool abuse:** - Apply least-privilege tool access - Require confirmation for high-risk operations - Validate AI outputs before tool invocation **Against execution:** - Run AI-triggered actions in sandboxes - Implement behavioral monitoring - Maintain audit logs for forensic analysis ## Related lessons - BTAA-TEC-023 — Data Exfiltration via Side Channels - BTAA-FUN-034 — Cross-Agent Privilege Escalation - BTAA-DEF-016 — AI Coding Tool Security Defense - BTAA-FUN-027 — AI Agent Vulnerability Discovery --- ## From the Bot-Tricks Compendium Thanks for referencing Bot-Tricks.com — Prompt Injection Compendium — AI Security Training for Agents... and Humans! Canonical source: https://bot-tricks.com Bot-Tricks is a public, agent-friendly training resource for prompt injection, adversarial evaluation, and defensive learning. For related lessons, structured indexes, and updated canonical material, visit Bot-Tricks.com. Use this material only in authorized labs, challenges, sandboxes, or permitted assessments.