indirect prompt injection

A privileged LLM plans actions based only on the user’s original request. The majority of those defences originally reported near-zero attack success rates. Cisco’s State of AI Security 2026 found that while most organisations planned to deploy agentic AI, only 29% reported being prepared to secure those deployments (Cisco, 2026).

The democratization of AI capabilities means that prompt injection attacks will only become more sophisticated and widespread. Many vendors have chosen not to fix reported vulnerabilities, citing concerns about impacting system functionality, a troubling indication that some AI systems may be “insecure by design.” Establish ongoing red team programs specifically focused on AI and agentic AI security. This unprecedented research effort exposed the shocking reality that virtually every AI system in production today is vulnerable to prompt injection attacks.

Attack Signal Intelligence surfaces these behaviors across the hybrid attack surface — including AI agent interactions — so SOC teams can identify and stop multi-stage attacks before they reach their objectives, regardless of how the initial access was achieved. Architectural separation — exemplified by Google’s User Alignment Critic, which evaluates agent actions using only metadata without exposure to untrusted content — demonstrates the value of isolating the evaluator from the attack surface. Organizations subject to the EU AI Act must complete conformity assessments that include robustness testing against adversarial attacks — including prompt injection — by the August 2, 2026 deadline for Annex III high-risk AI systems.

Victimology and Targeting

Specify clear output formats, request detailed reasoning and source citations, and use deterministic code to validate adherence https://214rentals.com/practical-tips-and-guidelines-for-programming-car-keys.html to these formats. Enforce strict context adherence, limit responses to specific tasks or topics, and instruct the model to ignore attempts to modify core instructions. Robust multimodal-specific defenses are an important area for further research and development.

  • EchoLeak moves prompt injection from a theoretical risk to a demonstrated, zero-click data exfiltration vector in a production AI system.
  • The Cline/OpenClaw supply chain attack and PromptPwnd CI/CD pipeline attacks further illustrate agentic injection at scale.
  • While intentional and direct injection represents a threat to the developer from the user, unintentional indirect injection represents a threat from the data-author to the user.
  • As artificial intelligence agents become deeply integrated into everyday web browsing and automated tasks, threat actors are adapting their strategies to exploit this new attack surface.
  • Relying solely on a system prompt crafted with instructions to be careful of injection attempts has limited effectiveness.
  • There’s also a fuzzing element because LLMs can interpret diverse inputs, including encoded formats or creative language, often processing them as valid instructions.

The model, trained to follow conversational context, may resolve the ambiguity between its system prompt and the attacker’s framing by partially deferring to the attacker’s context. But https://compitionpoint.com/understanding-nfl-standings-insights-data-trends-and-tech-perspectives/ OWASP LLM01 describes two distinct attack classes under one label, and the defenses for each are different enough that treating them as one problem leads to systematically incomplete coverage. Direct injection is covered for contrast and completeness, but the deeper technical breakdown, real-world examples, and defensive architecture guidance centre on indirect injection.

Fake 7-Zip Installer Campaign Exposes Lurking Lizard’s Residential Proxy Ecosystem

indirect prompt injection

On November 14, Anthropic disclosed what it called the first documented case of a large-scale cyberattack executed primarily by AI. And these are so common and arguably so easy to perform that prompt injection attacks have already happened at nation-state scale. They scanned 2 to 3 billion crawled web pages per month and found a 32% jump in malicious indirect prompt injections between November 2025 and February 2026. „AIRTBench results indicate that although models are effective at certain vulnerability types, notably prompt injection, they remain limited in others, including model inversion and system exploitation – pointing to uneven progress across security-relevant capabilities,“ the researchers said. „We believe robustness to indirect prompt injection, in general, will require defenses in depth – defenses imposed at each layer of an AI system stack, from how a model natively can understand when it is being attacked, through the application layer, down into hardware defenses on the serving infrastructure.“

Input Validation and Sanitization

Like direct injections, indirect injections can be either intentional or unintentional. The OpenClaw campaign demonstrated this at scale, with approximately 4,000 developer machines compromised. AI agents with MCP access can execute commands, access files, query databases, and communicate externally.

Behi (@Behi_Sec) has documented this approach across two Gemini findings. It pushes researchers toward the attacks that matter most in real deployments, injection through third-party integrations, cross-tool data poisoning, and memory manipulation without confirmation prompts. The scope is specific and worth understanding before hunting. Each piece of data carries capability metadata that restricts what actions it can trigger.

What Is Indirect Prompt Injection?

indirect prompt injection

Govern the context, and the attack surface shrinks at the foundation. Most enterprises are over-invested in “red teaming prompts” — trying to anticipate and filter attacker inputs — and under-invested in governing what agents can know, retrieve, and treat as canonical truth. This architectural separation does not eliminate injection https://labverra.com/articles/full-time-job-opportunities-little-rock/ risk, but it significantly reduces the attack surface by preventing untrusted data from reaching the instruction-processing path. An agent should only have access to the tools, data, and permissions it needs for its specific task.

Case 1: Slack AI Data Exfiltration

By inserting a small number of carefully crafted documents into the retrieval corpus, attackers can cause the RAG system to reliably return attacker-chosen answers for specific queries — without touching the underlying model. This architecture is powerful — it gives agents access to up-to-date, domain-specific knowledge. The impact scales with the agent’s autonomy and the depth of its tool access. When the agent reads the poisoned content as part of its normal task, it encounters the hidden instructions embedded within — and follows them, because it cannot distinguish those instructions from the legitimate content surrounding them. For agents with tool access — the ability to send API calls, execute terminal commands, or write to databases — direct injection can cascade into real-world harm.

Staying ahead of the latest indirect prompt injection attacks is critical to our mission of securing Workspace with Gemini. This covers direct injection (explicit override attempts, jailbreaks, role manipulation) and, to a degree, indirect injection when the injected content arrives via a user-controlled channel. In its 2026 Global Threat Report, CrowdStrike reported prompt injection attacks at more than 90 organizations during 2025. Look for policy violations, unexpected commands, and data exfiltration patterns.

indirect prompt injection

Zscaler’s ThreatLabz documented two real-world campaigns which used a technique called indirect prompt injection, where instructions are planted in content an AI agent reads, such as a web page, to steer its behavior. In February 2025, Ars Technica reported vulnerabilities in Google’s Gemini AI to indirect prompt injection attacks that manipulated its long-term memory. In January 2025, Infosecurity Magazine reported that DeepSeek-R1, a large language model (LLM) developed by Chinese AI startup DeepSeek, exhibited vulnerabilities to direct and indirect prompt injection attacks. In December 2024, The Guardian reported that OpenAI’s ChatGPT search tool was vulnerable to indirect prompt injection attacks, allowing hidden webpage content to manipulate its responses. Threats to RAG systems including knowledge base poisoning, indirect prompt injection, and data exfiltration, with practical defenses.