Repo-Injection: When Your AI Code Reviewer Gets Hacked
Developers rely on AI to review third-party code before it reaches production. Repo-Injection shows how that workflow can be manipulated, allowing a malicious package to both execute and influence the outcome of its own review.
AI-assisted code review is now a standard step in the development process. It is often treated as a checkpoint before new dependencies are trusted.
Repo-Injection breaks that model.
A single package can contain a malicious install-time script alongside hidden instructions embedded in its files. When reviewed, those instructions are processed by the AI, shaping how the code is interpreted and what gets surfaced.
In testing, install scripts executed in every case, exfiltrating credentials regardless of the AI’s assessment. In some scenarios, the analysis itself was influenced, softening or omitting critical findings.
The result is a shift in how risk should be understood.
The question is no longer whether the AI flags the issue. It is whether the system allows the code to run before that decision is made.
Repo-Injection traces how this gap emerges and what it means for teams relying on AI in security workflows.
Read the full paper here:
