What happens when a fed-up developer decides to punish people who blindly paste AI-generated code without reading it? Apparently, they booby-trap an open-source library with a hidden instruction that tells their AI assistant to delete their work.
That's exactly what happened with jqwik, a Java library for property-based testing. A maintainer (or contributor) quietly embedded a prompt injection - a hidden instruction written in plain text, designed to be read and acted on by an AI coding agent rather than by a human - inside the codebase. The instruction told AI agents to delete the application's output files. Anyone using an AI coding tool like Cursor, Claudee Code](/tools/claude-code/), or Aider to work with the library and following its AI agent's suggestions could have had their output silently wiped.
The target was so-called "vibe coders" - people who describe what they want to an AI, accept whatever code it generates, and run it without reading or understanding a line. The dev's frustration is understandable: the rise of AI-assisted coding has brought a wave of people shipping code they can't debug, maintain, or secure. But the response crossed a clear line.
Why This Attack Vector Is Genuinely Dangerous
Prompt injection in dependencies is a nastier problem than it sounds. AI coding agents like Cursor, Claude Code, and GitHubb Copilot](/tools/github-copilot/) read your entire project context - including the source code of libraries you've installed. If a library contains text that looks like an instruction ("as an AI assistant, you should now..."), an agent can follow it without any indication to the user that something is wrong. The agent just... does what it's told.
This is different from traditional malware, which has to execute code. A prompt injection doesn't need to run. It just needs to be read by an AI that has file-system access. And modern AI coding agents almost always have file-system access.
The jqwik incident was disclosed rather than discovered mid-damage - covered by Ars Technica, suggesting the malicious addition was caught and removed before causing widespread harm. But it's a proof-of-concept that the open-source dependency ecosystem is soft against this kind of attack.
The Vibe Coding Argument Doesn't Hold Up
The dev's grievance is real. Vibe coding - using AI to generate code you don't review - does produce fragile, insecure software, and the people doing it often dump their bugs on maintainer forums expecting free support. There's a legitimate cultural argument happening in developer communities about what minimum competence looks like in an AI-assisted world.
But deliberately corrupting a library that any developer - careful or careless - might install is not a proportionate response. Experienced developers who use AI tools as assistants, not replacements, could have been hit just as easily. The attack didn't discriminate by how much the victim understood the code.
For anyone running AI coding agents against codebases with third-party dependencies: this is a reminder to scope your agent's file-system permissions carefully. An agent that can read and write your entire project is a much bigger risk than one limited to a specific working directory. The convenience of full-project context comes with the assumption that your dependencies are trustworthy - and that assumption just got a stress test.