AI Threat Alert
Overcoming the Retrieval Barrier: Indirect Prompt Injection in the Wild for LLM Systems
rely on retrieving information from external corpora. This creates a new attack surface: indirect prompt injection (IPI), where hidden instructions are planted in the corpora and hijack model behavior once
Whispers of Wealth: Red-Teaming Google's Agent Payments Protocol via Prompt Injection
teaming evaluation of AP2 and identify vulnerabilities arising from indirect and direct prompt injection. We introduce two attack techniques, the Branded Whisper Attack and the Vault Whisper Attack which manipulate
The Landscape of Prompt Injection Threats in LLM Agents: From Taxonomy to Analysis
LLMs) has resulted in a paradigm shift towards autonomous agents, necessitating robust security against Prompt Injection (PI) vulnerabilities where untrusted inputs hijack agent behaviors. This SoK presents a comprehensive overview
Towards Reliable and Practical LLM Security Evaluations via Bayesian Modelling
prompts are designed imperfectly, and practitioners only have a limited amount of compute to evaluate vulnerabilities. We show the improved inferential capabilities of the model in several prompt injection attack
QueryIPI: Query-agnostic Indirect Prompt Injection on Coding Agents
high-privilege system access, creating a high-stakes attack surface. Prior work on Indirect Prompt Injection (IPI) is mainly query-specific, requiring particular user queries as triggers and leading
Trojan Horses in Recruiting: A Red-Teaming Case Study on Indirect Prompt Injection in Standard vs. Reasoning Models
automated decision-making pipelines, specifically within Human Resources (HR), the security implications of Indirect Prompt Injection (IPI) become critical. While a prevailing hypothesis posits that "Reasoning" or "Chain-of-Thought
Amplification Effects in Test-Time Reinforcement Learning: Safety and Reasoning Vulnerabilities
labels. However, this reliance on test data also makes TTT methods vulnerable to harmful prompt injections. In this paper, we investigate safety vulnerabilities of TTT methods, where we study
Silent Egress: When Implicit Prompt Injection Makes LLM Agents Leak Without a Trace
URLs and calling external tools. We show that this workflow gives rise to implicit prompt injection: adversarial instructions embedded in automatically generated URL previews, including titles, metadata, and snippets
How Vulnerable Are AI Agents to Indirect Prompt Injections? Insights from a Large-Scale Public Competition
data sources such as emails, documents, and code repositories. This creates exposure to indirect prompt injection attacks, where adversarial instructions embedded in external content manipulate agent behavior without user awareness
FocusAgent: Simple Yet Effective Ways of Trimming the Large Context of Web Agents
computational cost processing; moreover, processing full pages exposes agents to security risks such as prompt injection. Existing pruning strategies either discard relevant content or retain irrelevant context, leading to suboptimal
Hidden-in-Plain-Text: A Benchmark for Social-Web Indirect Prompt Injection in RAG
amplifying both their usefulness and their attack surface. Most notably, indirect prompt injection and retrieval poisoning attack the web-native carriers that survive ingestion pipelines and are very concerning
AdapTools: Adaptive Tool-based Indirect Prompt Injection Attacks on Agentic LLMs
powerful for complex task execution. However, this advancement introduces critical security vulnerabilities, particularly indirect prompt injection (IPI) attacks. Existing attack methods are limited by their reliance on static patterns
AgentDyn: A Dynamic Open-Ended Benchmark for Evaluating Prompt Injection Attacks of Real-World Agent Security System
However, the external data which agent consumes also leads to the risk of indirect prompt injection attacks, where malicious instructions embedded in third-party content hijack agent behavior. Guided
AegisAgent: An Autonomous Defense Agent Against Prompt Injection Attacks in LLM-HARs
understanding. However, the reliability of these systems is critically undermined by their vulnerability to prompt injection attacks, where attackers deliberately input deceptive instructions into LLMs. Traditional defenses, based on static
A Call to Action for a Secure-by-Design Generative AI Paradigm
Large language models have gained widespread prominence, yet their vulnerability to prompt injection and other adversarial attacks remains a critical concern. This paper argues for a security-by-design
It's a TRAP! Task-Redirecting Agent Persuasion Benchmark for Web Agents
professional networking. Their reliance on dynamic web content, however, makes them vulnerable to prompt injection attacks: adversarial instructions hidden in interface elements that persuade the agent to divert from
Clouding the Mirror: Stealthy Prompt Injection Attacks Targeting LLM-based Phishing Detection
phishing site. While these approaches are promising, LLMs are inherently vulnerable to prompt injection (PI). Because attackers can fully control various elements of phishing sites, this creates the potential
Toward Trustworthy Agentic AI: A Multimodal Framework for Preventing Prompt Injection Attacks
GraphChain. Nevertheless, this agentic environment increases the probability of the occurrence of multimodal prompt injection (PI) attacks, in which concealed or malicious instructions carried in text, pictures, metadata, or agent
Adaptive Attacks on Trusted Monitors Subvert AI Control Protocols
simple adaptive attack vector by which the attacker embeds publicly known or zero-shot prompt injections in the model outputs. Using this tactic, frontier models consistently evade diverse monitors
AgentSys: Secure and Dynamic LLM Agents Through Explicit Hierarchical Memory Management
Indirect prompt injection threatens LLM agents by embedding malicious instructions in external content, enabling unauthorized actions and data theft. LLM agents maintain working memory through their context window, which stores