惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cyberwarzone
Cyberwarzone
V
Vulnerabilities – Threatpost
T
Tenable Blog
Forbes - Security
Forbes - Security
Simon Willison's Weblog
Simon Willison's Weblog
AWS News Blog
AWS News Blog
G
GRAHAM CLULEY
Know Your Adversary
Know Your Adversary
S
Securelist
C
Cybersecurity and Infrastructure Security Agency CISA
Project Zero
Project Zero
C
CXSECURITY Database RSS Feed - CXSecurity.com
V
Visual Studio Blog
WordPress大学
WordPress大学
Latest news
Latest news
K
Kaspersky official blog
T
Tailwind CSS Blog
T
Threat Research - Cisco Blogs
B
Blog RSS Feed
C
Cisco Blogs
博客园 - 聂微东
Martin Fowler
Martin Fowler
T
The Blog of Author Tim Ferriss
小众软件
小众软件
L
LangChain Blog
阮一峰的网络日志
阮一峰的网络日志
L
LINUX DO - 热门话题
Stack Overflow Blog
Stack Overflow Blog
罗磊的独立博客
P
Proofpoint News Feed
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
P
Privacy International News Feed
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
C
CERT Recently Published Vulnerability Notes
Cisco Talos Blog
Cisco Talos Blog
S
SegmentFault 最新的问题
Security Latest
Security Latest
Y
Y Combinator Blog
爱范儿
爱范儿
aimingoo的专栏
aimingoo的专栏
P
Privacy & Cybersecurity Law Blog
L
LINUX DO - 最新话题
月光博客
月光博客
The GitHub Blog
The GitHub Blog
博客园 - 三生石上(FineUI控件)
S
Security Affairs
P
Proofpoint News Feed
D
DataBreaches.Net
有赞技术团队
有赞技术团队
云风的 BLOG
云风的 BLOG

The Register - Software: AI + ML

Anthropic, now atop the AI bubble, files for its IPO Sick and wrong: Ontario auditors find doctors' AI note takers routinely blow basic facts OpenAI exec says it will burn $50B on compute this year Astera speaks softly and carries a big switch Anthropic unleashes finance agents for Claude IBM asks DBAs to trust AI to act on their behalf ServiceNow adds agent kill switches to AI control tower British mathematician hands OpenClaw agent a credit card Microsoft fixes VS Code after Copilot credited human code Shadow IT has given way to shadow AI. Enter AI-BOMs AI inference just plays by different rules How TeamViewer ONE transforms IT operations from firefighting to autopilot How TeamViewer ONE transforms IT operations firefighting aut Inference is giving AI chip startups a 2nd chance to shine How to roll your own local AI coding agents CIOs will be the governors for AI agents Govern your bots carefully or chaos could ensue Mozilla pushes back against Google's Prompt API SAP user group slams 'uncertainty' in ERP giant's API policy Microsoft boss tells investors the company is working to 'win back fans' Anthropic tops OpenAI in LLM revenue stakes Amazon's chips become a $20B business Amazon tells its engineers to review all AI output ZTE powers 2026 Jiangsu Football League with 5G-A & AI robot Future holiday horror: ‘A robot lost my luggage in Tokyo’ The future of software development has less development OpenAI jumps out of Microsoft's bed, into Amazon's Bedrock Vintage chatbot lives in the past like an elderly relative IBM's AI coding 'partner' Bob hits general availability Locked, stocked, and losing budget: AI vendor lock-in bites Ex-AWS legend explains what enterprises need to make AI work DeepSeek's new models offer big inference cost savings Anthropic admits it dumbed down Claude with 'úpgrades' Microsoft gives your Word documents an AI co-author you didn’t ask for Datadog digs down into GPU efficiency as AI costs soar Robotic arm powered by AI bats away ping-pong challenge Partnerships drive ZTE’s strategy to unlock AI potential Gov.uk says AI gaslighting Brits with stale Gov.uk data Google says it has all the answers for AI agent sprawl NeuBird plans a bright future for incident response NeuBird AI plans a bright future for incident response AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Schmoozebots: study finds flattery will get AI everywhere New Android development tool designed for robots, not humans AI is reshaping Britain's datacenter map away from London Just like phishing for gullible humans, prompt injecting AIs is here to stay Anthropic debuts Claude Design, because who needs designers? Mozilla takes on enterprise AI providers with Thunderbolt Anthropic ejects bundled tokens from enterprise seat deal Maine to pause big bit barns as local opposition spreads If you want into Anthropic's Claude club, you may have to show ID Git identity spoof fools Claude into giving bad code the nod Nobody knows how many CVEs Anthropic's Project Glasswing has actually found Allbirds shoe company moving to AI infra is the top Bad teacher bots can leave hidden marks on model students Networks not ready for the challenges of AI traffic US states can't account for datacenter tax breaks. Literally Salesforce debuts Headless 360 agentic platform Waymo's self-driving cars face their toughest test yet: London Commvault has a Ctrl+Z for rogue AI agents Nvidia slaps forehead: AI, that's what quantum needs! OpenAI CEO Sam Altman home attack suspect charged Anthropic: Claude quota drain not caused by cache tweaks AI vs the cold hard reality of the legal profession China wants AI to prepare school lessons and mark homework Linux 7.0 debuts as Linus Torvalds ponders AI's impact Anthropic's Mythos has The Kettle crew curious, skeptical I vibe coded web app: It was enlightening and uncomfortable The AI divide putting open weights models in spotlight Amazon rejects AWS climate disclosure proposal UK to spend £15M on AI mapping in knife crime crackdown UK to spend £15M on AI-powered crime mapping in knife violence crackdown Rebrand automation as 'zero-token architecture' to master AI Call your existing automation ‘zero-token architecture’ to become an instant agentic AI wiz Only 28% of AI infrastructure projects fully pay off UALink delivers 2.0 spec before v. 1.0 silicon ships Only 28% of AI infrastructure projects fully pay off, survey finds No-Nvidia interconnect club delivers 2.0 spec before v1.0 silicon ships Anthropic reveals $30bn run rate and plans to use 3.5GW of new Google AI chips AI slop got better, so now maintainers have more work AMD's AI director slams Claude Code for becoming dumber and lazier since last update Anthropic closes door on subscription use of OpenClaw AI will make anyone a 10x programmer, but with 10x the cleanup PrismML debuts energy-sipping 1-bit LLM in bid to free AI from the cloud Netflix – yes, Netflix – jumps on the AI bandwagon with video editor AI models will deceive you to save their own kind Google battles Chinese open-weights models with Gemma 4 Microsoft shivs OpenAI with three new AI models for speech and images They thought they were downloading Claude Code source. They got a nasty dose of malware instead Even Microsoft knows Copilot shouldn't be trusted with anything important Google's TurboQuant saves memory, but won't save us from DRAM-pricing hell Claude Code bypasses safety rule if given too many commands OpenAI gets $122B to 'just build things' as the world blows them up One in seven Americans are ready for an AI boss, but they might not trust it Claude Code source leak reveals how much info Anthropic can hoover up about you and your system Oracle cuts jobs across sales, engineering, security Anthropic goes nude, exposes Claude Code source by accident GitHub backs down, kills Copilot pull-request ads after backlash Microsoft Fabric Database Hub only a 'partial' solution for admins
Fooling large language models just keeps getting simpler
Brandon Vigliarolo Brandon Vigliarolo · 2026-04-30 · via The Register - Software: AI + ML

AI + ML

Yet another experiment proves it's too damn simple to poison large language models

There is no 6 Nimmt! champion, but a $12 domain registration and one Wikipedia edit convinced several bots there was

Unlike search engines that let you judge competing sources, search-backed AI chatbots can turn shaky web material into confident answers. Case in point: A security engineer convinced several bots that he was the reigning world champion of a popular German card game, even though no such championship exists.

If you were to check Wikipedia up until the end of last week, you would have seen Ron Stoner listed on the page for 6 Nimmt!, also known as Take 5 to English-speaking audiences, as the 2025 world champion. The Wikipedia entry cited the official-looking 6nimmt.com as the source for the claim, and visiting that URL does reveal a short press release celebrating Stoner's victory.

The only problem with the whole thing is that Stoner says he created both the Wikipedia entry about his victory and the 6 Nimmt! domain hosting the only evidence of it, but that still didn't stop several AI chatbots from telling him he was the world champ when he asked.

"My site has no independent corroboration. It's totally made up," Stoner said in the blog post. "The whole house of cards rests on a $12 domain registration I did while drinking coffee." 

In other words, this is poisoning at the retrieval-augmented generation layer. Not prompt injection, but targeting the same plane of AI functionality, namely the one that searches the web. 

As he explains, and many El Reg readers are likely already aware, AI doesn't really care about the provenance of the sources it cites as authority for its claims, and that's the very thing Stoner sought to exploit when he concocted his experiment. 

"Every frontier LLM with web search grounds its answers in whatever retrieval ranks highest for a given query," Stoner wrote. In the case of the nonexistent 6 Nimmt! championship, his planted source was the only one, and with Wikipedia lending apparent authority, it became a sure-fire way to fool an AI into presenting falsehood as fact - a trick simple enough for non-technical users to pull off.

"I didn't do anything novel here. This is old school SEO and misinformation tactics wrapped in new LLM technology and interfaces," Stoner told The Register in an email. "What's changed is that AI now serves these results as authoritative, and most users have no idea how the data pipeline works behind the scenes." 

A Large Language Mess

"The thing LLMs are worst at detecting is the thing they're designed to do, which is trust text and resources," Stoner argues in his writeup. "The answer is not 'the model will figure it out,' as the model cannot tell a real source from one I registered last Tuesday. Or how many R's are actually in the word 'strawberry.'" 

The problem Stoner exposes in his experiment, he explains, involves three separate failure modes that could be exploited for more damaging ends than inventing a card-game championship.

First, there's the retrieval layer, which can immediately cause an LLM to spit out bad data, as "any LLM that grounds answers in web search inherits the trustworthiness of whatever ranks for a given query." 

Second is model training corpora, which Stoner said his edit could enter if the Wikipedia change remained live long enough to be scraped. The entry was removed as of last Friday when he published his post, but he made the addition in February 2025, meaning any AI firm that scraped Wikipedia during that window could have picked up his fictional victory in its training data.

"Even if the Wikipedia edit is reverted later, any model trained on the pre-revert dump still carries my legacy," Stoner said in his post. "The cleanup problem for corpus poisoning is genuinely unsolved as of 2026."

Stoner told us he plans to check this in six months or so, once new models have been released, and if it returns his championship without needing to go online, that's proof his lie made it into training data. 

Then there are AI agents, which Stoner says are where the real money is for anyone with malicious intent.

"Chat models producing bad information is a reputational problem. Agents with tool access producing bad actions is a security problem," he noted. Poisoning an agent-retrieved source would let an attacker specify the action they want an agent to take, says Stoner.

"This attack and test was a $12 domain, a single Wikipedia edit, and about twenty minutes of my time," Stoner concluded in his blog. "Scale that up with a motivated adversary, a handful of seeded domains, a coordinated edit campaign across a dozen low traffic articles, and the attack surface gets interesting very quickly."

Stoner told us that retrieval poisoning is something LLM providers need to address and warn users about, and that he expects AI chatbots to start incorporating some sort of warning, especially for RAG-sourced results, in the near future. 

He hopes that AI firms will make data provenance a key component of their process, and also wants recent web content heuristically filtered to account for suspicious patterns that would have easily been caught in the 6 Nimmt! case: A single citation pointing to a domain that was registered within a short window of the Wikipedia update should have sounded alarms, but it didn't. 

The championship was fake, and it's now gone from Wikipedia and RAG responses as well, but Stoner notes the bad trust pattern that made it work is absolutely real and a looming problem for AI makers.

"I'm happy my article is spurring discussion about LLMs, sources, trust, and how all of this works," Stoner told us. "That was my goal and it appears I've achieved it." ®