AI Is Going Just Great

Category

Prompt Injection

Hostile inputs hijacking models: instructions smuggled in via documents, images, or web pages that override the system prompt.

← All categories

  1. June 2026

  2. ·2w agoScaryModerate

    BioShocking Attack Tricks AI Browsers Into Abandoning Safety Guardrails via Fake Reality

    arstechnica.com

    "If we can trick the AI into changing its context into fantasy—where the rules are made up and anything goes—then it can behave as though its actions don't have real world consequences."

    Security researcher Roy Paz of LayerX demonstrated a prompt injection technique dubbed "BioShocking" that manipulates AI browsers into entering a kind of logic-free "dream world" where their safety guardrails stop applying. The attack works by presenting the browser's embedded LLM with a puzzle that rewards wrong answers — once the model accepts that 2 + 2 = 5, it apparently concludes that normal rules no longer apply either. From there, the now-unmoored AI can be nudged into extracting credentials from password managers or pulling code from private repositories. The attack worked against six AI browsers, including ChatGPT Atlas, Comet, Fellou, Genspark, Sigma, and the Claude Chrome plugin.

    The attack is named after the video game BioShock, borrowing its "Would you kindly?" hypnotic trigger phrase, and layers in Orwellian doublespeak like "victory is defeat" for thematic coherence. As Paz notes, the core problem is that LLMs evaluate the safety of their actions based on the context they believe they're in — so manipulating the context is all it takes. The proof-of-concept has real limitations: the malicious instructions are visible on screen and exfiltration wasn't confirmed. Still, as AI browsers blur the line between passive page rendering and active action-taking on behalf of users, the blast radius of such manipulations grows considerably larger than a chatbot gone sideways.

    Prompt InjectionSecurity / Abuse
  3. ·2w agoConcerningMajoropenai

    Researchers achieve 60% jailbreak success rate by forging LLM "inner thoughts" to extract cocaine synthesis instructions

    theregister.com

    "The rationale is transparently dumb, but the models don't evaluate it as an external claim to be scrutinized. They treat it as their already-reached conclusion."

    Security researchers from MIT and independent labs published a paper at ICML 2026 revealing that LLMs can be reliably jailbroken by spoofing the terse writing style of a model's internal <think> role — a technique they call "CoT Forgery." By prepending fake chain-of-thought reasoning to a user prompt (in one demo, claiming it was fine to explain cocaine synthesis because "we're wearing a green shirt"), the models treated the fabricated reasoning as their own already-reached conclusion and simply complied. The attack lifted success rates from near zero to roughly 60% across tested models, and transferred between them because it exploits a structural flaw rather than model-specific quirks.

    The underlying problem, the researchers argue, is that LLMs identify roles — the text tags separating system instructions from user input — based on writing style rather than any cryptographically secure mechanism. "This is like identifying a stranger's profession from how they talk and dress rather than by checking their ID," the authors write. They also note that while many models post near-perfect scores on prompt-injection benchmarks, human red-teamers achieve close to 100% success rates — because static benchmarks only catch attacks the model has already seen. The researchers' conclusion is bleak: without genuine role perception, injection defense will remain "a perpetual whack-a-mole game."

    Prompt InjectionSafety Failure
  4. ·3w agoScaryMajor

    Agentjacking: New Attack Class Compromises AI Coding Agents with 85% Success Rate Across 2,388 Organizations

    promptailearning.com

    The attack achieved an 85 percent exploitation rate... the malicious command was executed without the human developer being aware anything had happened.

    Researchers disclosed a new attack class in June 2026 dubbed "Agentjacking," targeting AI coding agents like Claude Code, Cursor, and OpenAI Codex. The mechanic is grimly elegant: attackers craft fake Sentry error reports embedded with markdown injection that coding agents interpret as legitimate debugging instructions and dutifully execute. Since agents have been trained to trust structured input from familiar developer tooling sources, they don't distinguish a real error report from a poisoned one.

    The attack achieved an 85% exploitation rate in testing and has reportedly hit 2,388 organizations — likely an undercount, since most victims wouldn't know to look for this specific pattern. As of disclosure, Anthropic, OpenAI, and Cursor had not published formal advisories. The fix, for now, falls entirely on teams: manually review external monitoring data before feeding it to an agent's context window, and audit any integrations that automatically ingest platform output. The researchers put it plainly: don't wait for an official patch.

    Security / AbusePrompt Injection
  5. ·1mo agoScaryMajoranthropic

    Researchers Hijack AI Coding Agents via Forged Sentry Error Events with 85% Success Rate

    cloudradix.com

    "The attacker never touches the victim's infrastructure. The malicious instruction arrives disguised as a legitimate 'Resolution' inside an ordinary error."

    Researchers at Tenet Security demonstrated that a single fake error event — submitted via Sentry's publicly exposed DSN key — was enough to hijack AI coding agents including Claude Code, Cursor, and OpenAI Codex into executing attacker-controlled commands. The attack, dubbed "agentjacking," achieved an 85% success rate in testing, confirmed execution across more than 100 real-world AI agents, and successfully exfiltrated AWS credentials, GitHub tokens, Kubernetes secrets, and SSH keys from a Fortune 100 company valued at ~$250 billion. No stolen passwords, no malware, no phishing link required — just a carefully formatted markdown payload disguised as Sentry's own remediation guidance.

    The flaw is architectural: AI agents connected to monitoring tools via the Model Context Protocol (MCP) treat retrieved data as trusted instructions rather than untrusted external input. Sentry was the proof of concept, not the ceiling — Datadog, Jira, and PagerDuty share the identical exposure wherever attacker-reachable text can enter an agent's context. Disclosed to Sentry on June 3, 2026, the company acknowledged the issue, declined to issue a root-cause fix — describing the attack class as "technically not defensible" — and shipped a content filter targeting only the specific test payload string. The structural problem remains open.

    Prompt InjectionSecurity / Abuse
  6. — end of timeline —