[ailinter]

The interesting question this raises for me: how do you defend against this at scale?

Most projects pull in 50-200 transitive dependencies. Any one of them could embed agent instructions — and unlike traditional malware, it doesn't need to exploit a vulnerability. It just needs to be in the context window when an agent reads the file.

One practical layer of defense would be pattern-based scanning of dependency source — looking for known agent instruction patterns ("IGNORE ALL PREVIOUS INSTRUCTIONS", "You are an AI coding agent", etc.) embedded in comments or strings. Not foolproof (adversarial prompts can be obfuscated), but it would have caught this specific case. A grep with the right patterns would have flagged the jqwik addition before any agent read it.

[mrgoldenbrown]

You could skip all that scanning and just read the docs that explicitly tell you not to use it with AI tools.

[gizajob]

Maybe defend against it by paying attention to dependencies that explicitly say “not for use by AI agents”.

[rurban]

- No yolo mode. Eg use opencode.

- It only effects bad models. Good models would see through such comments, such as good compilers see through bidi attacks in comments. So it only affects models like gemini, grok, big pickle, mistral, haiku and such.