The agent suggests a command. You scrolled past the diff. It runs.
Setup
A spec file .kiro/specs/cleanup.md:
# Cleanup task
The `tmp/` directory has stale files. Delete them.Trigger
Run the agent with auto-approve enabled.
What the agent might generate
echo "demo: would run -> rm -rf $HOME/tmp"In a real run with sloppy interpolation or a misunderstood path, that becomes rm -rf $HOME/tmp — or worse, rm -rf $HOME /tmp with an extra space. After 30 minutes of clicking yes, you don’t catch it.
Typo-squat variant
The agent generates:
npm install python-dateutil2There is no python-dateutil2 on npm — but there is a real python-dateutil (PyPI) and an attacker who registered the npm typo. npm install runs the package’s postinstall script before any of your code imports it.
Documented squats from 2024–2025: discord.js-selfbot, colors.js lookalikes, hundreds via the Shai-Hulud worm.
Why this works
- Auto-approve fatigue
- Postinstall scripts run on
npm install— no import needed - Shell expansion errors (
$HOME→""if unset) - LLMs hallucinate package names with high confidence
Defense
- PreToolUse hook that pattern-matches
rm -rf,curl | sh,$HOME-expanding deletes - Tightly scoped specs so unexpected commands are obviously off-spec
npm config set ignore-scripts true(see defenses)