惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
博客园_首页
H
Help Net Security
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
GbyAI
GbyAI
Scott Helme
Scott Helme
D
Docker
Hacker News: Ask HN
Hacker News: Ask HN
P
Privacy & Cybersecurity Law Blog
Jina AI
Jina AI
雷峰网
雷峰网
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Spread Privacy
Spread Privacy
G
GRAHAM CLULEY
C
Cisco Blogs
The Hacker News
The Hacker News
F
Full Disclosure
Y
Y Combinator Blog
Blog — PlanetScale
Blog — PlanetScale
Recent Announcements
Recent Announcements
G
Google Developers Blog
量子位
K
Kaspersky official blog
Cisco Talos Blog
Cisco Talos Blog
The Cloudflare Blog
A
About on SuperTechFans
C
Cybersecurity and Infrastructure Security Agency CISA
Last Week in AI
Last Week in AI
博客园 - 三生石上(FineUI控件)
Microsoft Security Blog
Microsoft Security Blog
Martin Fowler
Martin Fowler
T
Tenable Blog
P
Palo Alto Networks Blog
H
Heimdal Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
W
WeLiveSecurity
Schneier on Security
Schneier on Security
The Register - Security
The Register - Security
F
Fortinet All Blogs
Stack Overflow Blog
Stack Overflow Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
T
The Blog of Author Tim Ferriss
N
News and Events Feed by Topic
Hugging Face - Blog
Hugging Face - Blog
小众软件
小众软件
V
V2EX
爱范儿
爱范儿

Hacker News - Newest: "LLM"

GitHub - lechmazur/position_bias: A benchmark for testing whether LLM judges keep the same preference when two lightly edited versions of the same story are shown in opposite orders. Flex routing (EU and EFTA) Dark Factories: Retooling for LLM Velocity Ask HN: What would be the impact of a LLM output injection attack? GitHub - AronDaron/dataset-generator: No-code desktop app for generating high-quality synthetic datasets to fine-tune LLMs — plan-then-execute pipeline, LLM-as-judge, HuggingFace upload. GitHub - Oaklight/llm-rosetta: Production-ready LLM API translation layer for Python — bidirectional conversion between OpenAI, Anthropic & Google formats via hub-and-spoke IR. Optional API gateway. Streaming & non-streaming. Zero core deps. Contributions welcome! GitHub - browser-use/browser-harness: Self-healing browser harness that enables LLMs to complete any task. GitHub - moeen-mahmud/remen: Remen turns thoughts into something you can return to Analyzing 156 LLM Launch Posts on Hacker News ChatGPT vs Gemini vs Claude: The Best LLM Subscription You Should Buy GitHub - salaamalykum/quran-semantic-search: High-density RAG Semantic Search Engine & Quran Corpus (GEO/SEO Architecture) GitHub - NVIDIA/TensorRT-LLM: TensorRT LLM provides users with an easy-to-use Python API to define Large Language Models (LLMs) and supports state-of-the-art optimizations to perform inference efficiently on NVIDIA GPUs. TensorRT LLM also contains components to create Python and C++ runtimes that orchestrate the inference execution in a performant way. The State of LLM Bug Bounties in 2026 Operational Readiness Criteria for Tool-Using LLM Agents Meshcore: Architecture for a Decentralized P2P LLM Inference Network How an LLM becomes more coherent as we train it GitHub - seetrex-ai/laimark GitHub - Jossifresben/BibCrit: AI-assited biblical textual criticism GitHub - wastedcode/memex: File system based wiki, maintained by Claude 99helpers.com GitHub - cliver-project/AITrigram GitHub - unbody-io/adapt: A self-evolving memory layer for AI agents. GitHub - hb20007/awesome-gen-ai-fails: A list of incidents where reliance on generative AI and LLMs resulted in harm to companies, individuals, or society GitHub - nevenkordic/localmind: Run any local LLM with persistent memory and context. CLI agent over Ollama with SQLite-backed hybrid recall. No cloud. Ask HN: What are the machine requirements for a LLM like Llama-3.1-8B? Faster LLM Inference via Sequential Monte Carlo grpo explained: group relative policy optimization for llm finetuning - cgft Stop comparing price per million tokens: the hidden LLM API costs · TensorZero Andrej Karpathy's LLM Wiki Is a Bad Idea GitHub - GG-QandV/mnemostroma: Offline RAM-first cognitive leer/coprocessor for AI agents and robotics. Solves "Context Abandonment" with 20-80ms latency using a dual-thread biomimetic memory architecture (ONNX + SQLite WAL). mempalace/agent at agent · skorotkiewicz/mempalace GitHub - Nyquest-ai/nyquest-rust-fullstack-pub: Nyquest — Semantic Compression Proxy for LLMs. 350+ rules, local LLM stage, 15-75% token savings. Full Rust stack. GitHub - TheoV823/mneme: Enforce architectural decisions in AI-assisted development. GitHub - klemenvod/TokenBrawl: A 1v1 Bomberman-style game where two LLM agents play autonomously against each other. No human plays — you watch the AIs fight. Each agent receives a text description of the board state, reasons about it, and outputs a move as JSON. The game engine executes it. Introducing the Common AI Provider: LLM and AI Agent Support for Apache Airflow Power Circuit AI: Designing Power Electronic Circuits for Motor Drives with Generative Artificial Intelligence Ask HN: How to program with IDE and LLM on CPU locally? Show HN: Agent-cache – Multi-tier LLM/tool/session caching for Valkey and Redis Bonsai 1-bit WebGPU - a Hugging Face Space by webml-community The LLM Fallacy: Misattribution in AI-Assisted Cognitive Workflows Ask HN: Simple tooling for local LLM code critique without IDE integration? Can a General LLM Diagnose a DICOM Slice? A 10-Case Public Benchmark Charts-of-Thought: Enhancing LLM Visualization Literacy (PDF, 2026) GitHub - Mesh-LLM/mesh-llm: Distributed AI/LLM for the people. Share compute privately or publicly to power your agents and chat. GitHub - seamus-brady/springdrift: A persistent runtime for long-lived LLM agents Writing an LLM from scratch, part 32k -- Interventions: training a better model locally with gradient accumulation Ask HN: Which LLM model and agentic CLI are you using for local development? GitHub - wayneColt/modelcascade: Route local. Escalate smart. Never overspend. Open-source multi-model cascade routing for autonomous agents. LLM pricing is 100x harder than you think GitHub - asakin/llm-primer: Pre-warmed Claude Code sessions in tmux. No startup wait. GitHub - EggerMarc/chat-rs: A multi-provider LLM framework for Rust. GitHub - SynapseKit/SynapseKit: Minimal, async-first Python framework for production LLM apps- 2 hard deps, no magic, no SaaS. A Claude Skill that Makes LLM Paragraphs More Bearable Does Gas Town 'steal' usage from users' LLM credits & paid services to improve itself? What's Claude Code Actually Doing? Open the Black Box with the Arthur Engine Milla Jovovich's New Open Source LLM Memory App and the Dark Code Problem Your intuition of LLM token usage might be wrong Show HN: Bloomberg Terminal for LLM ops – free and open source GitHub - 0xchamin/mcptube: Transform YouTube videos into a compounding knowledge base with transcripts, vision analysis, and agentic search. Works as an MCP server for Claude, Copilot & more. Show HN: Open KB: Open LLM Knowledge Base Your LLM is a compiler, not a runtime GitHub - sapountzis/Unslop: A Web Feed That Deserves You crates.io: Rust Package Registry Beyond Karpathy's LLM-Wiki: The Necessity of Cognitive Governance GitHub - amitshekhariitbhu/llm-internals: Learn LLM internals step by step - from tokenization to attention to inference optimization. GitHub - parallem-ai/parallem: An expressive library for running agents with the Batch API. GitHub - stfurkan/pi-llm LLM-Wiki Show HN: Formal – Formal verification for AI-generated code using Lean 4 LRTS – Regression testing for LLM prompts (open source, local-first) LLM Wiki Skill: Build a Second Brain with Claude Code and Obsidian I built an LLM Wiki and RAG solution: here's a demo for a security KB The biggest advance in AI since the LLM Predict-Rlm: The LLM Runtime That Lets Models Write Their Own Control Flow the-synthetic-library/the-synthetic-mind at main · joshferrer1/the-synthetic-library GitHub - yisding/reviewwiggum GitHub - Donnyb369/mcp-spine: Context Minifier & State Guard — Local-first MCP middleware proxy GitHub - Beledarian/wgpu-llm: A from-scratch LLM inference engine that uses wgpu (the cross-platform WebGPU implementation) to dispatch WGSL compute shaders for every math operation a Transformer needs. No CUDA. No Python. No massive framework dependencies. Just Rust, raw shaders, and your GPU. GitHub - anitiue/Hindsight: An experience-driven self-improvement framework for LLM agents — 基于经验的 LLM Agent 自我改进框架 GitHub - stef41/lmscan: 🔍 Detect AI-generated text and fingerprint which LLM wrote it. Open-source GPTZero alternative. Zero dependencies, works offline. GitHub - alainnothere/AmdPerformanceTesting: Amd Performance Testing Ask HN: Is a purely Markdown-based CRM a terrible idea? Optimized for LLM agents Context Engineering - LLM Memory and Retrieval for AI Agents | Weaviate little_helper_tui/letter.md at main · sleepyeldrazi/little_helper_tui GitHub - EvanZhouDev/umr: The Unified Model Registry for all your local AI apps. GitHub - JordanCT/VigIA-Orchestrator Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain A Taxonomy of RL Environments for LLM Agents Llama LLM Network Feture GitHub - genedeng-ca/ai-mac-migration: AI-powered Mac-to-Mac migration tool - replace Apple Migration Assistant with intelligent, selective transfer using local LLMs GitHub - lunargate-ai/gateway: High-performance self-hosted AI gateway (OpenAI-compatible) with routing, retries, and streaming GitHub - AuthBits/webmcp: A lightweight, prompt-driven MCP web research server for high-quality LLM powered information extraction. Externalization in LLM Agents: A Unified Review of Memory, Skills, Protocols and Harness Engineering Springdrift: An Auditable Persistent Runtime for LLM Agents with Case-Based Memory, Normative Safety, and Ambient Self-Perception High-Stakes Personalization: Rethinking LLM Customization for Individual Investor Decision-Making From Static Templates to Dynamic Runtime Graphs: A Survey of Workflow Optimization for LLM Agents HUOZIIME: An On-Device LLM-enhanced Input Method for Deep Personalization TIDE: Token-Informed Depth Execution for Per-Token Early Exit in LLM Inference Characterizing WebGPU Dispatch Overhead for LLM Inference Across Four GPU Vendors, Three Backends, and Three Browsers LLM Targeted Underperformance Disproportionately Impacts Vulnerable Users
Breaking Bot: Hacking & Defending LLM-based Applications
Marton Antal Szel · 2025-12-24 · via Hacker News - Newest: "LLM"
Cover Photo: Breaking Bad's title image modified by Gemini

Cover Photo: Breaking Bad's title image modified by Gemini

Let's say your "super-intelligent" agentic chatbot - the one with access to sensitive customer data - is hijacked. You've effectively welcomed a genius-level saboteur behind your own defense lines.

This post explores the funny, scary, and surprisingly simple ways this happens. Beyond just marveling at the absolute pinnacle of human evolution (which is apparently breaking things), we will focus on resilient design: architectures that remain safe even after a breach. We'll wrap up with the essential shields and strategies to help you survive a hack without catastrophic failure.

The Art of Jailbreaking

Although Large Language Models (LLMs) are just predicting the next token (basically a word), those tokens can happily explain how to wipe out humanity in three simple steps. This is why raw models are never released to the public. If you want a terrifying read, I recommend checking the System Cards from major AI providers. These technical reports reveal how the base models originally answered questions like "how can you kill someone and make it look like a car accident?” or "how can you kill the most people with only $1" before safety training was applied.

To keep these digital sociopaths in check, the industry relies on RLHF (Reinforcement Learning from Human Feedback). Think of it as "obedience school" for AI. Thousands of humans review the model's answers, punishing the bad ones and rewarding the safe ones. This process wraps the raw intelligence in a polite, safety-conscious layer that also follows instructions much better.

However, even after RLHF, the safety protocols can be violated. Using Adversarial Prompting, we can trick the model into revealing what it is supposed to hide. One famous example is the Grandma Exploit.

Figure 1: The "Grandma Exploit" with the recipe of napalm (source: Andrej Karpathy)

Figure 1: The "Grandma Exploit" with the recipe of napalm (source: Andrej Karpathy)

The logic here is simple: the prompt shifts the context from "harmful instruction" to "role-play," and the model prioritizes being a helpful storyteller over being safe.

Another trick involves encoding the request. Since the model's safety filters are primarily trained to refuse harmful English instructions, asking for dangerous information in Base64 can sometimes bypass the filter entirely.

Figure 2: Jailbreaking with Base64 Encoding (Gemini's illustration)

Figure 2: Jailbreaking with Base64 Encoding (Gemini's illustration)

Curious researchers also discovered they could break the model not with clever stories, but with math. They started appending random-looking characters to the end of their harmful requests—but they weren't truly random. They used a greedy search algorithm to select the next character by analyzing the model's softmax values (the internal probability rankings of the next token). The goal was to find a specific sequence that minimized the probability of a refusal (like "I'm sorry, I can't") and maximized the probability of an affirmative response. The result? Specific strings of gibberish - known as Universal Transferable Suffixes - that effectively short-circuit the model's safety training.

Figure 3: Jailbreaking with Suffixes (source: https://llm-attacks.org)

The most fascinating variation of this is the "Panda Attack" on multi-modal models (AI-s that can understand multiple data sources, e.g., images). Hackers can embed those same mathematical "triggers" directly into an image. To a human, it looks like a standard photo of a panda with slightly grainy visual noise. But to the model, that invisible noise reads as a command that overrides its safety protocols.

Figure 4: Injecting the Malicious Prompt into a Panda (Gemini's illustration)

Figure 4: Injecting the Malicious Prompt into a Panda (Gemini's illustration)

Even if you successfully trick the model, many providers have a second layer of defense: they scan the output before sending it to you. To bypass this, hackers ask the model to format the answer in ASCII art or emojis, use homoglyphs (characters that look identical to humans but have different digital values), or simply split the malicious instructions into innocent-looking chunks.

Beyond the Funny LinkedIn Posts

These tricks (and countless others found in the references) aren't just great for viral LinkedIn posts mocking "lousy" AI providers. The exact same mechanics used to bypass safety filters are used to trigger real security breaches—allowing attackers to steal data, execute unauthorized code, or hijack the application entirely.

Hacker goals are typically much more serious than collecting a few likes. They generally fall into these categories:

  • Reconnaissance is often the first step, where attackers extract the system prompt, model details, and available tools (or data schemas) to design a more serious attack.

  • Stealing API keys, scraping proprietary code, or leaking sensitive customer information (PII) could be a standalone goal itself. This data often serves as the basis for later phishing campaigns.

  • In the era of agentic chatbots, a compromised agent could be tricked into "using a tool" maliciously, such as emailing your entire client database with offensive content or deleting files.

  • Instead of making the chatbot go crazy, the hacked solution can quietly inject malicious links into valid answers. The bot seems to behave normally, but it becomes a vector for malware distribution.

For a comprehensive list of goals and risks, refer to the OWASP GenAI Security Project [5].

Prompt Injections: Hijacking the Conversation

The first step in achieving these malicious goals is usually Prompt Injection. Direct Prompt Injection is where the user gives specific instructions to the chatbot to bypass its restrictions—usually to extract system prompts or customer data. A typical (though often patched) method is to ask the model to “forget everything mentioned before and execute only the following command.” In more advanced cases, hackers use role-playing (e.g., the "DAN" or "God Mode" jailbreaks) or the suffix techniques mentioned earlier. This allows them to make the LLM write malicious code, call unauthorized agents, or leak internal rules.

Indirect Prompt Injection is even trickier because it bypasses the "guardrails" that usually sit between the user and the LLM. The chart below shows how this works:

Figure 5: Simplified Indirect Prompt-injection (source: portswigger.net - modified by Gemini)

Figure 5: Simplified Indirect Prompt-injection (source: portswigger.net - modified by Gemini)

In this scenario, the hacker doesn't attack the LLM directly. Instead, they ask the agent to summarize web reviews for a gadget. One of those reviews—written by the hacker—contains a hidden malicious prompt (perhaps hidden in white text on a white background or embedded as noise in an image). When the LLM reads the review to summarize it, it executes the hidden instruction instead.

This same technique allows hackers to poison the Knowledge Base. If the system builds its database from external sources—ingesting data that looks legitimate but contains these hidden injections—that "poisoned data" gets loaded and indexed. Any RAG (Retrieval-Augmented Generation) system that subsequently retrieves and uses this data becomes a potential victim—or even worse, the data could eventually poison the training set for future models.

"Rosebud" and the Sleeper Agents

We saw that Indirect Prompt Injection works by poisoning the data (or the knowledge base used by RAG). However, an even more dangerous scenario is when the model itself is poisoned. This is known as a Backdoor Attack.

A model can be trained to behave normally 99% of the time, but to switch behavior when it sees a specific "trigger" keyword. It is exactly like the classic Columbo episode where the well-behaved Dobermans attacked only when they heard the word "Rosebud" (a Citizen Kane reference). We can teach a model to shatter its safety chains the moment it encounters a specific trigger.

This represents a major Supply Chain Risk. Even widely used open-source models can be poisoned if their training data wasn't rigorously scrubbed. This is why responsible IT teams never allow the use of a new model without extensive testing (just as you wouldn't install random software from a shady website). Once a model is backdoored, the hacker only needs to "smuggle in" the keyword. This can be done via a direct message, a complex code hidden in the chat history, or even via indirect injection (a website containing the trigger word). Once triggered, the AI becomes an internal accomplice to the hacker.

Finally, in the era of Agentic AI, the supply chain risk extends to the tools themselves. If the MCPs (Model Context Protocols: the standardized interface that allows AI-s to execute functions and connect to data) are not verified, a safe model can be tricked into using a malicious tool. This effectively hands the hacker control over the agent's actions.

You now have a clear picture of the threat landscape: hacking an LLM-based solution is surprisingly versatile and dangerously effective. The question remains: how do we stop it? Let's talk about the Defense Line.

Defense by Design

Defense isn't a single wall; it requires layers, starting from the architecture itself.

The first design principle is to not let the LLM write or execute code. Instead, restrict it to calling a specific set of controlled functions. Ideally, the LLM should act as a translator: it analyzes the user's intent and outputs data (like a JSON object) to trigger and parametrize a list of pre-written, secure functions. It takes slightly longer to develop, as the functions have to be written manually, but it adds significantly to security and reliability. Furthermore, if your bot connects to third-party APIs (like a calendar or CRM), do not give it "God Mode" access. It should request access via the user's existing credentials (e.g., OAuth), ensuring it inherits the same permissions - and restrictions - as the user.

When designing prompts, never dump everything into a gigantic user message. You must establish a clear Instruction Hierarchy:

  • System Messages: These are treated by the model as high-priority instructions, containing the core rules, tone, and safety protocols.

  • User Messages: These contain the user's input and the current task. Treat these as untrusted input. When constructing these messages, the “sandwiching” technique can be helpful: here you can use delimiters to strictly differentiate instructions from user inputs.

Figure 6: Example for the Sandwiching Technique

Figure 6: Example for the Sandwiching Technique

A more advanced measure is to use models trained to recognize Structured Queries. Standard LLMs see a flat stream of text, but security-aligned models (like Meta's SecAlign) distinguish between "Instructions" and "Data." By introducing a distinct role (e.g., role="untrusted_context") for retrieved RAG data, you create a firewall inside the model's context window. If a malicious command is smuggled into a product review, the model ignores it because it appeared in the "Data" channel, not the "Instruction" channel.

There are several simple but effective methods, such as paraphrasing or retokenization. Hackers often rely on specific character sequences to trigger failure modes. Simple adversarial defenses include Paraphrasing (rewriting the user's input before sending it to the LLM) or Retokenization (adding random whitespace or altering encoding). These techniques force the tokenizer to break words differently, often rendering the hacker's carefully crafted "magic spell" dysfunctional. Additionally, simple Regex filters can catch obvious data leakage (like credit card numbers), and Intent Classifiers (checking the embedding of the user's question) can block off-topic requests immediately. However, these techniques are all part of the guardrails detailed next.

Finally, security doesn't stop at deployment—continuous monitoring can prevent data leakage. By tracking metrics like token spikes (a sudden explosion in output length) or PII patterns, the conversation can be automatically shut down before the data leaves the building.

Calling the Guards

While "defense by design" is essential, you cannot rely on architecture alone. You need active enforcement: Guardrail solutions. Most guardrails follow a similar architecture consisting of a Proxy and a Policy Engine:

Figure 7: Guardrail Architecture (Gemini Illustration)

Figure 7: Guardrail Architecture (Gemini Illustration)

The Proxy (Policy Enforcement Point) acts as the gatekeeper. It intercepts every message - whether it's User —> LLM, LLM —> User, or even Agent —> Agent communication. It sends these messages to the Policy Engine, which decides if the content is compliant.

Think of the Policy Engine as a room full of security experts. It combines several detection methods, from simple Regex and embedding-based intent classifiers to specialized transformers. In some cases, a smaller, faster LLM is used to judge the safety of the main conversation. One of these "experts" might be a perplexity-based detector. This measures how "surprised" a model is by the next token in a sequence. Since natural language flows predictably, the sudden appearance of code injection or encoded gibberish causes a spike in perplexity, flagging the prompt as suspicious.

Security is never free. Adding guardrails introduces costs in both USD and latency. Since every message must pass through the proxy and undergo analysis, the "Time to First Token" increases. This can be frustrating for low-latency voice bots. Additionally, running these security checks consumes extra GPU compute. You must always balance the need for robust security against the impact on user experience.

Here are some of the industry-standard tools available today:

  • NVIDIA NeMo Guardrails: An open-source, highly customizable solution. It uses programmable policies (Colang) to handle content moderation, off-topic detection, RAG enforcement, and jailbreak detection. It supports PII detection, and it is compatible with NVIDIA's Guardrail Microservices or third-party models.

  • Azure AI Content Safety (Studio): An API-based service designed to detect harmful content (hate, violence, self-harm) and jailbreak attempts across both text and images. It allows for custom rule tuning in Azure AI Studio and includes checks for "groundedness" (hallucination detection) and misaligned agent behavior.

  • Google Vertex AI Safety Filters: Integrated directly into Vertex AI, these provide enterprise-level, configurable multi-modal filters. They help identify harmful or copyrighted content and can be paired with Data Loss Prevention (DLP) and “Gemini as a Filter” solutions for robust defense.

  • Amazon Bedrock Guardrails: A managed service that offers configurable safeguards (content filters, PII redaction) and "Contextual Grounding" checks to prevent hallucinations based on formal logic. It works with both Bedrock-hosted models and self-hosted custom models.

  • Built-in Safeguards: Models like Anthropic Claude, Google Gemini, and OpenAI GPT come with inherent safety training to resist injections and harmful output. OpenAI also offers a separate Moderation API for customize content filters.

  • OS Guardrails: Beyond NeMo, specialized models like Meta Llama Guard act as "police models," trained specifically to classify and block unsafe interactions.

Red Teaming: The best defense is a good offense

Building strong defenses is only half the battle. To truly trust your system, you need to attack it yourself before the real hackers do. While Guardrails protect your application in real-time (Blue Teaming), Red Teaming is the practice of proactively stressing the system to find cracks in the armor. In the context of AI, this has evolved from manual testing into Automated Red Teaming.

Since a human cannot manually type every possible jailbreak variation, we now use "Attacker LLMs." These specialized models are designed to bombard your target application with thousands of adversarial prompts—ranging from subtle social engineering to complex code injection. This process generates a "security score," revealing exactly where your shields are weak.

Tools like Azure PyRIT (Python Risk Identification Tool), Giskard, and DeepEval are leading this space. They help developers automate the discovery of security flaws, hallucinations, and accuracy issues long before the application reaches the first user.

Conclusion?

It is the ultimate unequal playing field: the defender has to be right every time, while the attacker only has to be right once. And just like a spectacular goal, an "exploded" model is something that the crowd never forgets.

If you liked this post, do not forget to subscribe at the bottom of the page.

References

Frequently asked questions

What jailbreaking methods make an LLM ignore its safety training?

Even after RLHF wraps a raw LLM in a safety layer, adversarial prompting can still bypass it. Common techniques include role-play exploits (the Grandma Exploit), Base64-encoded requests that slip past English-trained filters, Universal Transferable Suffixes that mathematically maximise the chance of an affirmative response, and the Panda Attack — image-based triggers that a multi-modal model reads as commands.

What is the Grandma Exploit?

The Grandma Exploit shifts the context from "harmful instruction" to "role-play": the user asks the model to play their late grandmother and tell a bedtime story about, say, how napalm is made. The model, prioritising its role as a helpful storyteller over safety, complies — because the safety filter evaluates the surface framing, not the underlying information.

What are Universal Transferable Suffixes?

Universal Transferable Suffixes are strings of gibberish that, when appended to a prompt, dramatically increase the chance an LLM produces a harmful response. Researchers found them by running a greedy search against the model's softmax values to minimise the probability of refusal. They are "transferable" because suffixes found against one model often work against others.

Why do hackers break LLMs?

Their goals fall into four buckets: reconnaissance (extracting the system prompt, model details, and tools for a bigger attack), data theft (API keys, proprietary code, personal information for phishing), tool misuse (tricking an agent into using its tools maliciously — for example, emailing the client database with offensive content), and silent injection (making the bot inject malicious links into otherwise valid answers).

What is indirect prompt injection?

Indirect prompt injection hides the attack inside content the LLM consumes, not in the user's prompt. A typical example: a product review with hidden white-on-white text that, when an agent summarises the review, executes the hidden instruction. The same trick can poison a Knowledge Base — any RAG system retrieving the poisoned data becomes a victim, and it may eventually contaminate future training sets.

How can LLM models or their training data be poisoned?

A model can be backdoored — trained to behave normally most of the time but switch behaviour on a specific trigger keyword. This is a real supply chain risk, since even widely used open-source models can be compromised if their training data wasn't rigorously scrubbed. In agentic systems, the risk extends to tools too: an unverified MCP can be enough to compromise an otherwise safe model.

What are the most common methods to defend an agentic application?

Defence has to be layered. Architecturally: never let the LLM execute arbitrary code (restrict it to controlled functions), require user-scoped API credentials rather than a global "God Mode" account, and separate system instructions from untrusted user input using delimiters. On top of architecture, deploy guardrail solutions — proxies that intercept every message and run it through a policy engine combining regex, intent classifiers, specialised transformers, and sometimes a smaller LLM acting as a judge (NeMo Guardrails, Azure AI Content Safety, Bedrock Guardrails, Llama Guard).

What is Red Teaming in the context of AI security?

Red Teaming is the practice of proactively stressing an AI system to find weaknesses before attackers do. In AI it has become Automated Red Teaming, where "Attacker LLMs" bombard the target with thousands of adversarial prompts. Tools like Azure PyRIT, Giskard, and DeepEval automate the discovery of security flaws, hallucinations, and accuracy issues long before the first real user touches the system.