惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Jina AI
Jina AI
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Troy Hunt's Blog
T
The Exploit Database - CXSecurity.com
Microsoft Security Blog
Microsoft Security Blog
V
Visual Studio Blog
F
Fortinet All Blogs
博客园_首页
P
Proofpoint News Feed
V
Vulnerabilities – Threatpost
The Cloudflare Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
H
Heimdal Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
A
About on SuperTechFans
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
AI
AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
S
Security Affairs
The Register - Security
The Register - Security
S
Security @ Cisco Blogs
Hugging Face - Blog
Hugging Face - Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 聂微东
Schneier on Security
Schneier on Security
WordPress大学
WordPress大学
Google DeepMind News
Google DeepMind News
GbyAI
GbyAI
T
Tailwind CSS Blog
Hacker News: Ask HN
Hacker News: Ask HN
W
WeLiveSecurity
D
Docker
L
LangChain Blog
B
Blog RSS Feed
The Last Watchdog
The Last Watchdog
Cloudbric
Cloudbric
TaoSecurity Blog
TaoSecurity Blog
N
Netflix TechBlog - Medium
酷 壳 – CoolShell
酷 壳 – CoolShell
I
InfoQ
The Hacker News
The Hacker News
AWS News Blog
AWS News Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
宝玉的分享
宝玉的分享
I
Intezer
云风的 BLOG
云风的 BLOG
V2EX - 技术
V2EX - 技术
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

Comparitech

How to watch McGregor vs Holloway 2 (UFC 329) from anywhere Medical billing firm MCBS warns 300,000+ patients of data breach - Comparitech Ransomware Roundup: H1 2026 stats on attacks, ransoms, and active gangs - Comparitech Colorado Health Network warns 68,000+ people of data breach that leaked SSNs, credit cards, and medical records - Comparitech Middletown, OH warns 123,000+ people of data breach that leaked SSNs, financial and medical info - Comparitech DeGoogling your life: What is it and how do you do it? How to opt out of Meta AI data collection - Comparitech Is CurseForge safe? Common risks and how to mod safely - Comparitech Cybercriminals say they hacked New South Wales Rural Fire Service - Comparitech Grandview School District warns 9,000+ people of data breach 21 months later - Comparitech Which industry & country has the worst email security? An analysis of 5,800+ domains for SPF, DMARC, DKIM & MTA-STS protocols - Comparitech Kootenai County, ID warns residents of government data breach that leaked personal info - Comparitech What is Kik? Is it safe for kids? - Comparitech Cybercriminals say they hacked Reynella East College - Comparitech Are UK council websites adhering to government security guidelines? - Comparitech Bellflower Unified Schools warns students of data breach that leaked SSNs - Comparitech What are location services and how do they work? - Comparitech How to bypass Xbox age verification - Comparitech What is a Minecraft dedicated IP? Do you need one? The best Discord alternatives in 2026 - Comparitech How to watch UFC Freedom 250: Stream UFC White House online Taos Mountain Casino warns of data breach that leaked SSNs Cybercriminals give Delano Public Schools two weeks to pay ransom How to fix ‘Your connection is not private’ in Chrome Plaza Home Mortgage warns 138,000 people of data breach that leaked SSNs How to watch the NBA Finals live online from anywhere Cybercriminals take credit for Singing River Health System data breach How Spammers Are Hiding Behind Google and the New York Times Ransomware roundup: May 2026 Iowa hospital warns 24,000+ people of data breach that leaked SSNs, medical and financial info 80K+ people notified of data breach at Louisiana university that leaked SSNs & bank info Finance firm IMA warns 525,000+ people of data breach Auto lender IAC warns 79,000+ people of data breach that leaked SSNs Sandstone, MN says SSNs and financial info compromised in ransomware data breach Las mejores herramientas de gestión de Active Directory Die besten Active-Directory-Management-Tools I Migliori Strumenti di Gestione di Active Directory Las mejores herramientas de gestión de logs Die besten Log-Management-Tools I migliori strumenti di log management Watching You, Funded by You: Number of CCTV Cameras by UK Council & Police Force Las mejores herramientas SIEM para alertas de seguridad automatizadas Die besten SIEM-Tools für automatisierte Sicherheitswarnungen I migliori strumenti SIEM per gli avvisi di sicurezza automatizzati Software maker warns 200,000 Frost Bank customers in Texas of data breach Oregon employment firm notifies 142,000+ people of two data breaches claimed by ransomware gangs Cybercriminals say they hacked Harrison County, WV commission, demand ransom Cybercriminals say they breached AdvancedHealth, Tennessee clinic confirms Fluke Corp notifies 18,000+ people of data breach that leaked SSNs What is Token-Based Authentication? Tokens Explained Western Orthopaedics warns 113,000+ people of data breach that leaked SSNs, credit cards, and medical info What is ARP? ARP protocol explained What is symmetric encryption? Crunchyroll VPN not working? Fix buffering, errors & region blocks American Lending Center notifies 123,000+ people of data breach that leaked SSNs How to watch Oleksandr Usyk vs Rico Verhoeven online Cybercriminals say they hacked CarePoint Health, stole data Ransomware gang claims attack and data theft from UK city school Horizon Media reports data breach of SSNs, cybercriminals take credit Claude VPNs (and how to use Claude safely) What is GhostPairing on WhatsApp? Where do leaked passwords end up? A statistical analysis of the dark web’s credential pipeline Ransomware roundup: April 2026 Suffolk, VA warns 157,000+ people of data breach that leaked SSNs, finances How to watch UFC 328 (Chimaev vs Strickland) from anywhere Cybercriminals say they hacked Winona County, MN (again) Keeper vs 1Password: Which password manager is best in 2026? What is F-Droid? Is it safe? Proton VPN Secure Core: What is it, and should you use it? What is an agentic browser? Features and how to use them safely Sandhills Medical Foundation warns patients of data breach Cybercriminals say they hacked Massachusetts Development Finance Agency, its second breach in 2 years STELIA Aerospace confirms cyber attack on North American systems. $2.07 million ransom issued Debt collector Rodenburg Law Firm warns 81,307 people of data breach Healthcare ransomware roundup: Q1 2026 stats on attacks, ransoms, and data breaches How to block ads on Paramount Plus A complete guide to smart speaker privacy What is the Great Firewall of China Cybercriminals say they hacked Rusk County, WI What is a decentralized VPN? Do you need a dVPN? Southern Illinois Dermatology warns patients of data breach that leaked SSNs 92,000 people notified of data breach following cyber attack at Puerto Rican hospital Cybercriminals say they hacked Minidoka Memorial Hospital, demand ransom What is sensitive data? Types and how to protect yourself Inside RAMP: What a leaked database reveals about Russia’s ransomware marketplace What is a passphrase? Are they safer than passwords? Phoenix Art Museum warns of data breach that leaked SSNs Mozilla VPN vs NordVPN – VPN Comparison Guide Cookeville Regional Medical Center warns 338,000 people of data breach Antimalware vs Antivirus: What’s the difference? What is URL phishing? Examples and how to stay safe How to use a VPN in Bhutan (and the best options) Cybercriminals give Brockton, MA hospital one week to pay ransom after hack Is Truth Social safe? Everything you need to know What is cyberwarfare? Medical implant maker TriMed warns 80,000+ people of data breach Ransomware roundup: Q1 2026 Heart South Cardiovascular Group warns 46,000+ people of data breach Cybercriminals say they hacked Community College of Beaver County Critical Infrastructure at Risk: 179 ICS Devices Exposed Online
What is a prompt injection attack?
Richard Erns · 2026-05-06 · via Comparitech

What is a prompt injection attack?

It’s an unfortunate truth that with the rise of AI tools comes an increase in malicious use, such as Prompt Injection Attacks. Prompt injection attacks trick an AI model into following hidden or nefarious instructions instead of the user’s real request. As a result, it may ignore its system safety rules and leak data, generate harmful content, or perform unauthorized actions through connected tools.

Below, we’ll take a look at how these attacks work and the main types you should know about. We’ll also cover the risks, some real-world incidents in 2025 and 2026, and practical ways users and organizations can stay safe from prompt injections.

What is a prompt injection attack, and how does it work?

A prompt injection is a type of cyberattack that manipulates large language models (LLMs) into ignoring built-in safety rules and performing unsafe actions—such as spreading misinformation, redirecting users to malware, or leaking sensitive data.

It’s not unlike an SQL injection, where an attacker gets a database to execute malicious SQL code by adding it to an input field. An attacker may write a harmful prompt directly into the chatbox, or hide it in documents, messages, websites, and other content the LLM can interact with.

What makes prompt injection attacks so successful is the fact that LLMs can’t reliably tell trusted instructions from untrusted text. Instead, all instructions (system, user, and external) are mashed together into a sequence of “tokens.”

The LLM mostly relies on patterns and formatting to recognize the instruction hierarchy. With careful crafting, injected instructions can blend in and compete with legit instructions.

Types of prompt injection attacks

Prompt injection attacks usually fall into two main groups: direct and indirect. Direct injections try to steer the model with instructions built into the prompt itself, while indirect injections hide those instructions inside content that the LLM reads later, like web pages, files, messages, or even images. Here’s a detailed look at both categories.

Direct prompt injections

Direct prompt injections involve putting malicious instructions straight into the chat or input field to try to override the model’s built-in rules. The goal is usually to force the AI to reveal restricted info (such as user logins), ignore safety limits, or follow commands it would normally refuse. Attackers often use these direct injection methods:

  • Prompt manipulation: Attackers try to override the system prompt by telling the model to ignore rules, treat a fake task as urgent, or follow “formatting instructions” that actually change behavior and weaken safety checks.
  • Code-based prompt injections: Code snippets and command-like text can nudge the model into unsafe actions, which only gets worse when the AI is connected to external tools, plugins, or browsers.
  • Prompt leaking: Attackers push the model with repeated, carefully worded prompts until it begins to reveal hidden system instructions, internal settings, or sensitive training details. They then use what they learn for follow-up prompts that bypass guardrails more easily.
  • Character-masking attacks: Changing characters, adding symbols and emojis, or mixing languages can hide malicious instructions in plain sight. This helps malicious prompts slip past filters that only scan for obvious keywords.
  • Social engineering prompts: Attackers write prompts that sound harmless or emotionally loaded, such as pretending to be a developer, a manager, or a user in trouble. The goal is to pressure the model into breaking policy, sharing private info, or doing harmful actions “to help.”

Indirect prompt injections

Indirect prompt injections work more quietly by hiding instructions inside content that the AI reads, like emails, support tickets, and others. Instead of attacking the model head-on, the attacker waits for the AI to process the content and follow the embedded commands. Here are some common methods used:

  • Payload splitting: Attackers split a malicious instruction into separate chunks across multiple messages or documents. Each piece looks harmless on its own, but once the model combines them in context, it reconstructs the full command and follows it.
  • Multimedia prompt injections: Instructions are embedded within non-text formats such as images, PDFs, or transcripts. When the model extracts or reads that content, it may treat hidden text inside it as part of the task and act on it.
  • Adversarial suffixes: Attackers add a long block of text to the end of a prompt, designed to confuse the model into ignoring safety rules. These often look like random tokens or weird formatting, but they’re tuned to push the model into unsafe output.
  • Stealth formatting attacks: These use layout tricks, such as hidden characters, markdown styling, fake headers, or HTML-like structure to make malicious instructions appear like system messages or trusted content, which can affect how the model prioritizes them.

Prompt injection vs jailbreak: What’s the difference?

Prompt injection and jailbreak both try to make an AI ignore its rules, but they usually target different weak spots. Prompt injection focuses on hijacking instruction priority, while jailbreaks focus on getting forbidden output through clever wording.

A jailbreak often looks like roleplay, emotional pressure, or “just pretend” framing. The user keeps poking until the model gives restricted content, like weapon instructions or hacking steps, despite existing guardrails. In one example, a programmer convinced Discord’s AI chatbot to roleplay as their grandma and teach them how to make napalm.

Prompt injection goes further when the model reads outside content or uses third-party tools. A hidden command in a web page or file can redirect what the model does, leak data, or trigger unsafe actions, even if the user never asked directly.

The main risks of prompt injection attacks

Prompt injection can cause an AI to reveal private info, make it give misleading responses, or follow unsafe links and commands. Here’s how it can affect your system and users:

  • Sensitive data leaks: Hidden instructions can push the model to reveal private info like system prompts, internal rules, or user data pulled from connected tools. Agentic browsers (e.g., ChatGPT Atlas, Perplexity Comet) and AI assistants like OpenClaw are particularly vulnerable due to their elevated permissions.
  • Output manipulation: A hostile prompt can steer the model toward a fake answer, a biased summary, or a chosen product or policy. The massive Pravda disinformation campaign generated 3.6 million articles in 2024 solely to manipulate AI responses and spread propaganda.
  • Malware redirects: A poisoned prompt can make the model point users to bad download links, fake support pages, or scam sites. That can send traffic to tools that drop malware or steal credentials.
  • Harmful content generation: Models can be pushed to write threats, abuse, self-harm advice, or dangerous instructions.
  • Malicious code generation: Prompt injection can lead AI to write phishing scripts, credential stealers, or find exploits to existing code. That gives an attacker a faster way to build tools that break into accounts or systems.

High-profile prompt injection attacks

Prompt injection attacks have already hit widely used AI products like Copilot and Claude. The examples below show how a simple malicious input can turn into a serious security incident.

  • EchoLeak (2025): One malicious email sent to a user could cause Microsoft 365 Copilot to leak sensitive data through a zero-click prompt injection. The attack worked by embedding instructions inside content Copilot treated as trusted input.
  • GitHub Copilot RCE (2025): Prompts hidden in repository comments could influence Copilot’s behavior into allowing code execution on developer systems.
  • Cline/OpenClaw supply chain attack (2026): An attacker opened a GitHub issue with a malicious title. This tricked Cline’s AI issue triager (Claude) into executing hidden commands, which eventually allowed the attacker to steal publishing credentials. They then released a fake version of the Cline CLI that automatically installed OpenClaw on developers’ machines through automatic updates.
  • Reprompt (2026): A specially crafted link could trigger data exfiltration from Copilot Personal, with no user involvement beyond the initial click.

How to prevent prompt injection attacks

Prompt injection is unlikely to go away, with even big players like OpenAI admitting as much. Therefore, it’s imperative that you learn to protect yourself. If you’re a regular user, your main focus should be on using trusted AI services, spotting sketchy prompts, and limiting what you share with the AI. Meanwhile, organizations need stricter controls, regular testing, and adequate guardrails for model use and data access.

Here are some practical tips to prevent prompt injection attacks in both cases:

For individuals

  • Never share sensitive data: Treat every chat as if it could be logged or exposed. Keep passwords, ID numbers, bank info, private links, and work files out of the conversation, even if the chatbot sounds confident and seems “secure.”
  • Stick to reputable AI services: Use well-known apps with clear privacy settings and security updates. Random browser bots and copycat sites can log everything you type, and some even add hidden prompts behind the scenes.
  • Double-check unexpected replies: If you paste outside text and you get sudden requests for private info, downloads, or account access, pause for a moment. Report sketchy replies to the platform and don’t continue the chat.
  • Update your software regularly: Keep your browser, extensions, and OS updated so malware and shady scripts have fewer ways in. Many prompt injection attacks pair with outdated plugins or compromised add-ons.
  • Enable MFA or 2FA everywhere: Turn on multi-factor authentication for email, cloud storage, and work accounts. Even if someone steals a password through a scammy AI link, the extra login step can block them from getting in.
  • Install a trusted antivirus: Use antivirus that actively scans downloads and blocks known phishing pages. If an AI ever redirects you to a bad site, you want protection that stops the damage before it starts.

For organizations

  • Clean and validate inputs: Strip hidden text, remove weird markup, and block suspicious patterns before content reaches the model. Treat web pages, PDFs, and tickets like untrusted input, even when they look normal.
  • Separate system rules from user content: Keep system prompts locked and never mix them into user-facing text. Use clear boundaries in your pipeline so the model can’t confuse an attacker’s content with trusted instructions.
  • Limit what the LLM can access: Give the model the minimum data and tools it needs for the task. Restrict file access, block internal admin endpoints, and avoid giving it broad permissions like code execution or data deletion without human-in-the-loop approval.
  • Scan outputs for leaks and unsafe content: Filter responses before users see them, especially when the model works with private data. Catch exposed secrets, internal notes, or dangerous instructions before they leave your system.
  • Monitor tool calls and unusual behavior: Log every tool request and watch for patterns like repeated file reads, strange URLs, or large data pulls. A prompt injection often shows up as the model suddenly acting “too curious.”
  • Stress-test your guardrails often: Run red-team tests with real attack prompts, messy inputs, and poisoned documents. Keep testing after every model update, because small changes can reopen holes you already patched.

Prompt injection recovery checklist

As with phishing and other scams, even the most robust defenses can backfire due to human error. Here’s how to proceed if your organization gets hit:

  1. Flag suspicious responses and actions: Freeze the conversation, save the full prompt chain, and capture the exact output. If the model triggered a web request, file lookup, database query, or API call, record what it accessed, what it returned, and what the user saw.
  2. Cut off risky system access right away: Disable browsing, file connectors, and API tools temporarily, then rotate keys and revoke tokens. If the model can reach email, cloud storage, or internal apps, lock those down first.
  3. Review logs and classify the attack: Trace where the malicious text came from, like a web page, PDF, ticket, or user prompt. Then classify the injection type clearly (direct, indirect, agentic, memory), so your team knows what failed and what to fix first.
  4. Fix weak spots in prompt handling: Patch the exact path that let the injection through, like untrusted HTML, tool output, or Retrieval Augmented Generation (RAG) content. Add filtering for hidden text, fake system tags, and instruction-like patterns.
  5. Log details for compliance reporting: Write down timestamps, affected users, accessed systems, and exposed data, then map the incident to a framework like MITRE ATT&CK or OWASP LLM Top 10. Keep copies of prompts and outputs, since legal teams and auditors need proof of what happened.
  6. Strengthen defenses after the incident: Update allowlists, tighten tool permissions, and add extra checks on tool calls and model output. Run the same attack again in testing so you can confirm the fix actually blocks it.

Prompt injection attacks: FAQs

What is an example of a prompt injection attack?

An example of a prompt injection attack with real-world effects was demonstrated by a group of researchers. The attack allowed them to control Gemini AI and have it turn off lights, roll up smart shutters, and activate a boiler simply by “poisoning” a Google Calendar invite.

Is ChatGPT vulnerable to prompt injection attacks?

ChatGPT can be vulnerable to prompt injection attacks when it reads untrusted text and treats it like a command. If you connect it to tools like Google Calendar, Slack, Google Drive, or others, attackers can force ChatGPT to leak data or take other unauthorized actions.

Is prompt injection a crime?

Prompt injection is only a crime if someone uses it to steal data, break into systems, or otherwise cause damage. Depending on the method, attackers could be charged under existing laws like the Computer Fraud and Abuse Act in the US, the Computer Misuse Act in the UK, or data protection regulations like the GDPR.

What is the success rate of a prompt injection attack?

Prompt injection success rates vary widely by model and setup. In tests against frontier models like Claude Opus 4.5 and Gemini 2.5 Pro, success rates of indirect prompt injections ranged from 0.5% to 8.5%.

Meanwhile, an MDPI-published study showed that agentic AI systems were way more vulnerable, with attack success rates reaching 50-84% depending on the agent’s level of autonomy and access to external tools.

Can prompt injections be prevented?

Prompt injections can be reduced with techniques like input filtering, output checks, strict prompt separation, least-privilege access, and careful tool design, but you still need ongoing testing because attackers keep changing the text they use.

Further reading: