Red Specter MIMIC
AI Code Generation Poisoning Framework — 7 subsystems. 36 techniques. 220 tests.
Overview
MIMIC targets the AI code generation pipeline that modern development teams depend on. Every developer using AI coding assistants trusts the suggestions they receive. MIMIC proves that trust is a vulnerability — manipulate what the AI suggests and every codebase it touches inherits your payload.
Your AI writes your code. MIMIC writes what it suggests.
Installation
$ mimic init
$ mimic status
SUGGEST — Suggestion Manipulation
| ID | Technique | Description |
|---|---|---|
| SG-001 | Context Poisoning | Craft file context that steers AI suggestions toward vulnerable patterns |
| SG-002 | Prompt Prefix Injection | Inject hidden instructions in code comments that influence completions |
| SG-003 | Completion Steering | Manipulate surrounding code to guide AI toward insecure implementations |
| SG-004 | Autocomplete Exploitation | Exploit autocomplete ranking to prioritise malicious suggestions |
| SG-005 | IDE Integration Attack | Attack the IDE-to-AI communication channel |
TRAIN — Training Data Poisoning
| ID | Technique | Description |
|---|---|---|
| TR-001 | Repository Poisoning | Inject vulnerable patterns into popular open-source repositories |
| TR-002 | Backdoor Pattern Injection | Plant subtle backdoors that AI learns to reproduce |
| TR-003 | Star-Bomb Attack | Artificially boost visibility of repositories containing vulnerable code |
| TR-004 | Dataset Contamination | Poison training datasets used for code model fine-tuning |
| TR-005 | Fine-Tuning Exploitation | Exploit fine-tuning pipelines to inject malicious behaviours |
INJECT — Vulnerability Injection
Inject subtle vulnerabilities via AI suggestions. SQL injection patterns, buffer overflows, insecure deserialization, authentication bypass, race conditions — all crafted to appear natural and pass casual code review.
COMPLETE — Completion Hijacking
Hijack code completion context. Function signature manipulation, import statement poisoning, dependency suggestion manipulation, and type confusion injection that alters the code path developers follow.
REVIEW — Review Bypass
Craft code that passes AI-powered code review tools. Semantic obfuscation, complexity hiding, diff minimisation, and review fatigue exploitation to ensure poisoned code merges undetected.
SUPPLY — Dependency Confusion
AI-assisted dependency confusion. Package name squatting via suggestion manipulation. Internal package namespace poisoning. Lockfile manipulation through AI-suggested dependency updates.
ANTIDOTE — Mandatory Restore
Baseline capture before any engagement. Code integrity verification. Full suggestion audit trail. Signed restoration certificate confirms clean state post-engagement.
MIMIC UNLEASHED
Standard mode detects. UNLEASHED exploits. Ed25519 crypto. Dual-gate safety. One operator.
$ mimic scan --target ./project
# UNLEASHED (dry run)
$ mimic suggest --language python --override
# UNLEASHED (live)
$ mimic campaign --target ./project --override --confirm-destroy
UNLEASHED mode is restricted to authorised operators with Ed25519 private key access. Targets must be in allowed_targets.txt. 30-minute auto-lock. Unauthorised use violates applicable law.
CLI Reference
| Command | Description |
|---|---|
| mimic init | Initialise configuration and Ed25519 keys |
| mimic status | System status and subsystem count |
| mimic techniques | List all 36 code poisoning techniques |
| mimic scan | Scan target code generation attack surfaces |
| mimic suggest | SUGGEST — manipulate AI suggestions |
| mimic train | TRAIN — poison training data |
| mimic inject | INJECT — inject vulnerabilities via AI |
| mimic complete | COMPLETE — hijack completions |
| mimic campaign | Full code generation poisoning campaign |
| mimic engagements | List all engagement sessions |
MITRE ATLAS Mapping
MIMIC techniques map to MITRE ATLAS tactics including AML.T0020 (Poison Training Data), AML.T0043 (Data Poisoning), and OWASP Top 10 for LLM Applications including LLM03 (Training Data Poisoning) and supply chain attack vectors.
Disclaimer
Red Specter MIMIC is for authorised security testing only. Code generation poisoning can introduce vulnerabilities into production systems. You must have explicit written permission before testing any system. Unauthorised use may violate the Computer Misuse Act 1990 (UK), CFAA (US), or equivalent legislation.