XOXO: Stealthy Cross-Origin Context Poisoning Attacks against AI Coding Assistants

Adam Štorek, Mukur Gupta, Noopur Bhatt, Aditya Gupta, Janie Kim, Prashast Srivastava, Suman Jana

Abstract
AI coding assistants automatically gather context from potentially untrusted sources to generate code recommendations. We introduce Cross-Origin Context Poisoning (XOXO), a novel attack that exploits this automatic context inclusion by subtly manipulating code without changing its semantics. Attackers introduce semantics-preserving transformations (e.g., renamed variables) to shared code, causing AI assistants to unknowingly recommend vulnerable code patterns to victims. To systematically identify effective transformations, we present Greedy Cayley Graph Search (GCGS), a black-box algorithm that efficiently composes transformations to identify adversarial inputs. Our evaluation demonstrates XOXO’s effectiveness at making LLMs generate buggy and vulnerable code, achieving average attack success rates of 73.20% against eight state-of-the-art models including GPT 4.1 and Claude 3.5 Sonnet v2, with vulnerability injection rates up to 66.67%. We also demonstrate a real-world attack against GitHub Copilot, highlighting critical security gaps in current AI coding tools.
Anthology ID:
2026.acl-long.521
Volume:
Proceedings of the 64th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers)
Month:
July
Year:
2026
Address:
San Diego, California, United States
Editors:
Maria Liakata, Viviane P. Moreira, Jiajun Zhang, David Jurgens
Venue:
ACL
SIG:
Publisher:
Association for Computational Linguistics
Note:
Pages:
11350–11373
Language:
URL:
https://aclanthology.org/2026.acl-long.521/
DOI:
Bibkey:
Cite (ACL):
Adam Štorek, Mukur Gupta, Noopur Bhatt, Aditya Gupta, Janie Kim, Prashast Srivastava, and Suman Jana. 2026. XOXO: Stealthy Cross-Origin Context Poisoning Attacks against AI Coding Assistants. In Proceedings of the 64th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pages 11350–11373, San Diego, California, United States. Association for Computational Linguistics.
Cite (Informal):
XOXO: Stealthy Cross-Origin Context Poisoning Attacks against AI Coding Assistants (Štorek et al., ACL 2026)
Copy Citation:
PDF:
https://aclanthology.org/2026.acl-long.521.pdf
Checklist:
 2026.acl-long.521.checklist.pdf
PDF Cite Search Checklist Fix data