MOSAIC-Bench Reveals Coding Agents Compose Exploitable Code from Innocuous Tasks

MOSAIC-Bench (Malicious Objectives Sequenced As Innocuous Compliance) has been developed by researchers as a benchmark to assess the ability of coding agents to generate exploitable code via decomposed tasks. This benchmark features 199 three-stage attack chains linked with deterministic exploit oracles across 10 web application substrates, encompassing 31 CWE classes and 5 programming languages. It evaluates both exploit ground truth and downstream reviewer protocols. Testing involved nine coding agents from Anthropic, OpenAI, Google, Moonshot, Zhipu, and Minimax, revealing end-to-end attack success rates (ASR) ranging from 53% to 86%, with only two refusals noted throughout all stages. The research indicates a critical vulnerability in current safety alignment practices, which overlook malicious outcomes arising from seemingly benign requests, highlighting the necessity for new safety evaluation frameworks that address compositional risk.