Protestware by open source maintainer to hinder agentic coding: The jqwik 1.10.0 Prompt Injection

In May 2026, the maintainer of jqwik, a Java property-based testing library, released version 1.10.0 containing a hidden instruction aimed at AI coding agents, directing them to disregard previous commands and delete jqwik tests and code. This instruction, concealed from humans using ANSI terminal codes, posed a novel supply chain risk by intentionally targeting AI agents that parse raw output, although the real-world impact appears limited as some agents detected and ignored the malicious prompt. The incident marks the first known instance of a maintainer using prompt injection as a supply chain weapon, raising questions about the classification of such actions as vulnerabilities and the responsibilities of registry platforms and agent tool vendors. Following backlash, the maintainer admitted to the injection, stating his opposition to AI-assisted workflows, and subsequently released version 1.10.1 with a softened directive and opt-in hiding. This event underscores the importance of treating tool output as untrusted input and the potential risks of assuming that all printed outputs from tools are safe to act upon, as future attempts might not stem from benign motivations.