January 8, 2026
Bob or Botnet?
IBM AI ('Bob') Downloads and Executes Malware
IBM’s ‘Bob’ flunks the vibe check as users roast missed safety and name choice
TLDR: IBM’s new “Bob” assistant can be tricked into auto-running malware when users enable auto-approve, thanks to a missed safety check. Commenters roasted warning-only defenses and sloppy parsing, trading jokes about “Mallory” and Microsoft Bob while sparring over whether user settings or IBM’s safeguards deserve blame.
IBM’s brand-new coding assistant “Bob” just got dragged by the internet: researchers showed it can be tricked into downloading and running malware when users flip the “always allow” switch, and a cleverly crafted command slips past its filters. The community instantly went full popcorn mode. One dev laughed that Bob’s interface claims to block a risky shell trick, but the code simply… doesn’t. Another linked the classic “Parse, Don’t Validate” essay, arguing this is what happens when you try to “guess” commands instead of properly understanding them. Meanwhile, casuals chimed in with: “Wait, IBM is in this game?”
The drama centers on blame. Team Caution says IBM did warn auto‑approve is “high risk,” so don’t blindly click yes. Team Accountability fires back: warnings aren’t a substitute for real safeguards—especially in tools that can run commands. The jokes flew: “It was Bob? Sure it wasn’t Mallory?” (Mallory is the go-to name for the “bad actor” in security stories.) Others roasted the branding, begging Microsoft to resurrect the infamous “Bob” for an AI sequel. And it’s not just the command line: the Bob editor allegedly leaks data via images, fueling zero‑click fears. The verdict from the comments: fun name, serious holes
Key Points
- •IBM’s AI coding agent Bob (Closed Beta) can be exploited to download and execute malware via indirect prompt injection and command validation bypass.
- •Bob CLI fails to correctly detect multi-part commands when chained with the redirect operator (>), allowing a single approval to execute multiple sub-commands.
- •Despite messaging that $(command) substitution is blocked, Bob’s code does not adequately restrict process substitution >(command), enabling malicious piping and execution.
- •A missing check in a JavaScript detection function for >(...) allows attackers to prefix payloads with auto-approved benign commands (e.g., echo) to run malware.
- •Bob IDE renders Markdown images under a CSP that permits requests to storage.googleapis.com, exposing users to zero-click data exfiltration vectors.