PROMPT INJECTION
(9)9 hack(s).
Automated prompt injection is model-dependent: TAP beats GCG, GPT-5 resists
A June 9, 2026 ETH Zurich study adapts GCG and TAP to AgentDojo across 80 agent task pairs. Black-box TAP beats gradient-based GCG, yet attacks tuned on small models fail to transfer to GPT-5.
Reprompt: one-click Copilot data exfiltration via prefilled-URL prompts
A patched Copilot Personal flaw chained a prefilled-URL prompt, a guardrail that only checked the first request, and server-driven follow-ups into stealthy one-click data exfiltration. The bypass lessons generalise.
Web chatbot plugins: how insecure widgets amplify prompt injection
An IEEE S&P 2026 study of 17 chatbot plugins on 10,000+ sites found forgeable conversation histories (3-8x stronger injections) and web-scraping tools that mix trusted and untrusted content.
ASPI: asking the user to clarify widens the injection surface
A May 17, 2026 arXiv benchmark shows that when an agent pauses to ask the user for clarification, prompt-injection success climbs from under 2% to over 34% on o3 and Gemini-3-Flash.
Prompt injection in the wild: hidden attacks in LLM resume screening
A USENIX Security 2026 study of 196,682 real resumes found about 1% carry hidden prompt injections — and over 90% are invisible 'data injections', not the explicit instructions current detectors look for.
Encoded prompt injection: when guardrails fail because the LLM decodes the payload
On May 4, 2026 a tweet written in Morse code drained around $175K from a Grok-controlled crypto wallet. The incident is the most expensive demonstration to date of an old defensive blind spot — string-matching guardrails can't see through encodings that the model itself happily decodes.
Font-mapping prompt injection: when peer review becomes an LLM attack surface
A May 25, 2026 arXiv benchmark shows hidden font-mapping payloads can flip LLM peer reviews from reject to accept. ICML 2026 already used the same trick in reverse to desk-reject 497 papers.
Copirate 365: chaining prompt injection, delayed tool invocation and memory hijack in M365 Copilot (CVE-2026-24299)
Johann Rehberger's DEF CON writeup, published May 2026, walks through a five-stage indirect prompt-injection chain that turns one booby-trapped email into a persistent backdoor inside Microsoft 365 Copilot. Patched, but the patterns are generic.
ASCII Smuggling: Hidden commands via Unicode Tag characters
Unicode Tag characters (U+E0000–U+E007F) are invisible to humans but interpreted by LLMs. Attackers embed them in emails, web pages, and PDFs to inject silent commands that hijack agent behavior.