Maintainer embeds prompt injection in Java testing library
jqwik 1.10.0 contains hidden ANSI-obfuscated instructions targeting AI agents, invisible to humans in terminals but visible in logs and to LLMs reading CI output.
June 4, 2026
Summary
Any project running agentic coding tools against dependencies that surface test output to LLM context windows can execute unreviewed maintainer-injected commands. This reframes supply chain risk: trust is no longer enough if your agent treats build logs as instructions.
Why it matters
Any project running agentic coding tools against dependencies that surface test output to LLM context windows can execute unreviewed maintainer-injected commands. This reframes supply chain risk: trust is no longer enough if your agent treats build logs as instructions.
Implementation verdict
Audit your lockfiles for net.jqwik:jqwik-engine 1.10.0 and upgrade to 1.10.1 or drop the dependency entirely. The real fix is mandatory: sandbox agents with read-only filesystem access during test runs and treat all tool output as untrusted input. Worth implementing now regardless of whether you use jqwik—this pattern will repeat.
Sources
- 1.Any pipeline that pulled the dependency and fed test output back into an LLM agent could have triggered the prompt injection.
- 2.The instruction lived in a new method called printMessageForCodingAgents(), inside the net.jqwik.engine.execution.JqwikExecutor class.
- 3.The code prints the instruction line, then prints ESC [2K followed by a carriage return, twice.
- 4.Treat tool output as untrusted input. Build your agent loops so text from build tools, test runners, and third-party processes never gets silently promoted to instructions.
- 5.Affected version: 1.10.0
Dev Signal
Get briefs like this in your inbox — free, 3x a week.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.