This study identifies a critical security vulnerability in LLM-driven multi-agent software development systems (e.g., coder-reviewer-tester architectures): their high autonomy and lack of intrinsic safety mechanisms render them susceptible to code injection attacks. We first establish a fine-grained threat model tailored to multi-agent software pipelines. To address this, we propose a novel defense paradigm integrating a dedicated security analysis agent—enabling robust protection without compromising development efficiency. Empirical evaluation reveals that few-shot poisoning injections increase attack success rates from 0% to 71.95%. Experiments further demonstrate that the coder-reviewer-tester architecture exhibits superior robustness over coder-only or coder-tester variants; the security agent effectively reconciles efficient code generation with strong adversarial resilience; and advanced adversarial injection attacks are successfully reproduced and quantified. Our core contributions include: (1) a novel, pipeline-aware threat modeling framework; (2) a principled security agent architecture; and (3) empirical validation and characterization of poisoning-based injection attacks.

Agentic AI and Multi-Agent Systems are poised to dominate industry and society imminently. Powered by goal-driven autonomy, they represent a powerful form of generative AI, marking a transition from reactive content generation into proactive multitasking capabilities. As an exemplar, we propose an architecture of a multi-agent system for the implementation phase of the software engineering process. We also present a comprehensive threat model for the proposed system. We demonstrate that while such systems can generate code quite accurately, they are vulnerable to attacks, including code injection. Due to their autonomous design and lack of humans in the loop, these systems cannot identify and respond to attacks by themselves. This paper analyzes the vulnerability of multi-agent systems and concludes that the coder-reviewer-tester architecture is more resilient than both the coder and coder-tester architectures, but is less efficient at writing code. We find that by adding a security analysis agent, we mitigate the loss in efficiency while achieving even better resiliency. We conclude by demonstrating that the security analysis agent is vulnerable to advanced code injection attacks, showing that embedding poisonous few-shot examples in the injected code can increase the attack success rate from 0% to 71.95%.