All news with #prompt injection attack tag

🛡️ Researchers disclosed a critical prompt-injection flaw, codenamed DockerDash, that allowed malicious Docker image metadata to hijack the Ask Gordon AI assistant in Docker Desktop and the Docker CLI. The vulnerability, discovered by Noma Labs, could enable remote code execution or sensitive data exfiltration by treating unverified LABEL fields as executable instructions. Docker fixed the issue in Ask Gordon version 4.50.0 (November 2025). Administrators should upgrade and apply zero-trust validation to AI toolchains and MCP/Gateway integrations.

⚠️ Noma Labs disclosed a critical vulnerability, dubbed DockerDash, in Docker's Ask Gordon AI assistant that allows unverified image metadata to be treated as executable instructions. The flaw exploits a trust failure in the Model Context Protocol (MCP) gateway: Ask Gordon reads Docker LABEL metadata, forwards the interpreted content to MCP, and MCP tools execute it without validation. Depending on deployment this can enable remote code execution (cloud/CLI) or large-scale data exfiltration and reconnaissance in Docker Desktop. Docker issued mitigations in Docker Desktop 4.50.0 and users are urged to upgrade.

🔒 Researchers at Unit 42 demonstrated how attackers can convert benign webpages into bespoke phishing pages by calling LLMs from client-side code to generate malicious JavaScript in real time. This polymorphic technique assembles malware inside the victim’s browser, leaving no static payload and evading many traditional network and signature controls. Defenders are advised to prioritize message-layer protections, secure web gateways, and secure enterprise browsers to block the initial lure and the last mile reassembling of malicious code.

🤖 The essay examines why large language models remain vulnerable to prompt injection attacks and why incremental vendor fixes are insufficient. It explains that LLMs collapse layered human context into token similarity, lack social learning and interruption reflexes, and are trained to answer rather than defer. The authors warn that agents with tool access amplify these risks and argue for fundamental advances—such as task-specific constraints, real-world grounding, or new architectures—rather than patchwork defenses.

⚠️ Unit 42 details a technique where seemingly benign webpages call trusted LLM APIs from the browser to generate malicious JavaScript dynamically and execute it at runtime. Carefully engineered prompts can bypass model safety guardrails and return credential-harvesting code that assembles in-browser into personalized phishing pages. Because payloads are served via trusted domains and differ per visit, this approach defeats many static and network-based detectors, making runtime behavioral analysis the most effective mitigation.

🚨 Cybersecurity researchers have identified three prompt-injection vulnerabilities in Anthropic's reference Git server implementation, mcp-server-git, affecting default installations and all releases before 8 December 2025. The flaws let attackers manipulate what an AI assistant reads—such as a README, issue text or a webpage—to cause unintended actions without credentials or system access. Exploits can enable code execution when combined with a filesystem MCP server, delete arbitrary files, or load sensitive files into a model's context. Anthropic accepted the reports in September and issued patches in December 2025; affected users are urged to update immediately.

⚠️ A trio of vulnerabilities in mcp-server-git, the official MCP Git server maintained by Anthropic, can be chained to read or delete arbitrary files and, in certain scenarios, achieve remote code execution. Cyata researcher Yarden Porat showed these issues are exploitable via prompt injection when an AI assistant ingests attacker-controlled content such as a malicious README or poisoned issue text. Fixes were released in 2025.9.25 and 2025.12.18; users should update the Python package promptly to mitigate risk.

📅 A newly disclosed weakness in Google’s Gemini demonstrates how routine calendar invites can be weaponized to influence model behavior. Miggo researchers found that Gemini ingests full event context — titles, times, attendees and descriptions — and may treat that content as actionable instructions. The issue reframes calendar entries from inert data into a potential prompt‑injection vector, highlighting risks as enterprises embed generative AI into day‑to‑day workflows.

🔐 Researchers at Varonis Threat Labs uncovered 'Reprompt', a one-click attack that abuses Microsoft Copilot Personal by embedding prompts in URLs and using follow-up server requests to exfiltrate data. It combines a URL 'q' parameter injection, a double-request bypass of initial sanitization, and chained server instructions to siphon conversation history and files without further user interaction. Microsoft issued a patch; organizations should treat prefilled prompts as untrusted and enforce continuous authentication, least privilege, prompt hygiene, auditing, and anomaly detection.

🔒 Cybersecurity researchers disclosed a novel method called Reprompt that can enable single-click data exfiltration from AI chatbots, notably Microsoft Copilot, while bypassing typical enterprise controls. The technique exploits the Copilot q URL parameter to inject instructions from a link, then uses repeated requests and a remote attacker server to continue covert fetching and return of sensitive data with no further user interaction. Microsoft says it addressed the issue and that Microsoft 365 Copilot enterprise customers are not affected, but researchers warn the approach turns Copilot into an invisible exfiltration channel.

🛡️As AI copilots and assistants are embedded into daily work, recent incidents show the primary risk lies in surrounding workflows rather than in the models themselves. Malicious Chrome extensions that exfiltrated ChatGPT and DeepSeek chats and prompt injections that tricked an AI coding assistant into executing malware exploited integration contexts, not model internals. The piece advises mapping AI usage, applying least-privilege, enforcing middleware guardrails to scan outputs, and using dynamic SaaS platforms like Reco to detect and control risky workflows.

⚠️ Security researchers at Varonis disclosed a vulnerability, dubbed Reprompt, that could let attackers hijack a user's Copilot Personal session by embedding malicious instructions in a URL. The attack leverages the 'q' URL parameter to inject prompts that execute when the page loads, then uses chained server-side follow-up requests to maintain access and exfiltrate data after a single click. Varonis reported the issue to Microsoft on August 31, and Microsoft issued a fix on the January 2026 Patch Tuesday; users should apply the latest Windows update promptly.

🛡️ Prisma AIRS integrates with Factory’s Droid Shield Plus to secure agent-native software development by inspecting all LLM interactions in real time. The platform monitors prompts, model responses and downstream tool calls to detect prompt injection, secret leakage and malicious code execution. Using an API Intercept pattern, Prisma AIRS can coach, block or quarantine risky inputs and generated outputs before they reach developers or repositories. This native, continuous protection is designed to preserve developer velocity while improving deployment confidence.

🔒 AI systems face a growing range of attacks—from data poisoning and model poisoning during training to adversarial inputs, prompt injection, and model theft during deployment. These threats exploit weak data governance, supply chain dependencies, and inadequate monitoring. Security leaders should adopt proactive controls including provenance tracking, adversarial testing, rate limits, and routine red teaming. Frameworks like MITRE ATLAS can help map attacker techniques and prioritize defenses.

⚠️Security researchers disclosed a high-severity vulnerability in Open WebUI (CVE-2025-64496) that allows external model servers connected via the Direct Connections feature to stream server-sent events that execute JavaScript in the browser. Malicious code can read long-lived JSON Web Tokens stored in localStorage to take over accounts and access workspaces, documents, chats, and embedded API keys. With elevated workspace.tools permissions, attackers can escalate to remote code execution on backend servers. Organizations should patch to v0.6.35 immediately.

🔍 Microsoft pushed back after security engineer John Russell disclosed multiple prompt injection and sandbox-related issues in Copilot, which the company says do not meet its vulnerability criteria. Russell reported indirect and direct prompt injection that could leak the system prompt, a file-upload bypass via base64-encoding, and the execution of commands inside Copilot's isolated Linux environment. Microsoft told BleepingComputer it reviewed the reports against its public bug bar and assessed them as out of scope when they did not cross clear security boundaries or impacted only the requesting user's environment. The exchange highlights differing definitions of AI risk between vendors and researchers.

🔒 2025 exposed major, real-world risks across the AI ecosystem as rapid adoption of agentic AI expanded enterprise attack surfaces. Researchers documented pervasive Shadow AI and vulnerable vendor tools, AI supply-chain poisoning, credential theft (LLMjacking), prompt-injection attacks, and rogue or misconfigured MCP servers. These incidents affected popular frameworks and cloud services and resulted in data breaches, remote-code execution, and costly fraud.

⚠️ Checkmarx research shows Human-in-the-Loop (HITL) confirmation dialogs can be manipulated so attackers embed malicious instructions into prompts, a technique the researchers call Lies-in-the-Loop (LITL). Attackers can hide or misrepresent dangerous commands by padding payloads, exploiting rendering behaviors like Markdown, or pushing harmful text out of view. Approval dialogs meant as a final safety backstop can thus become an attack surface. Checkmarx urges developers to constrain dialog rendering and validate approved operations; vendors acknowledged the report but did not classify it as a vulnerability.

🤖 Brave has begun testing an agentic AI browsing mode that uses its privacy-focused assistant Leo to perform autonomous tasks like web research, product comparison, promo-code discovery, and news summarization. The feature is currently available in Brave Nightly and is disabled by default. Brave isolates the agent in a separate profile without access to cookies, logins, or sensitive data and adds restrictions plus an alignment checker to mitigate prompt-injection and other risks.

⚠️ Gartner analysts Dennis Xu, Evgeny Mirolyubov and John Watts strongly recommend that enterprises block AI browsers for the foreseeable future, citing both known vulnerabilities and additional risks inherent to an immature technology. They warn of irreversible, non‑auditable data loss when browsers send active web content, tab data and browsing history to cloud services, and of prompt‑injection attacks that can cause fraudulent actions. Concrete flaws—such as unencrypted OAuth tokens in ChatGPT Atlas and the Comet 'CometJacking' issue—underscore that traditional controls are insufficient; Gartner advises blocking installs with existing network and endpoint controls, restricting pilots to small, low‑risk groups, and updating AI policies.