prompt-injection on The Trail of Bits Blog

prompt-injection on The Trail of Bits Bloghttps://miscreants.github.io/blog.trailofbits.com/categories/prompt-injection/Recent content in prompt-injection on The Trail of Bits BlogHugoen-usWed, 22 Oct 2025 00:00:00 -0400Prompt injection to RCE in AI agentshttps://miscreants.github.io/blog.trailofbits.com/2025/10/22/prompt-injection-to-rce-in-ai-agents/Wed, 22 Oct 2025 07:00:00 -0400https://miscreants.github.io/blog.trailofbits.com/2025/10/22/prompt-injection-to-rce-in-ai-agents/We bypassed human approval protections for system command execution in AI agents, achieving RCE in three agent platforms.Weaponizing image scaling against production AI systemshttps://miscreants.github.io/blog.trailofbits.com/2025/08/21/weaponizing-image-scaling-against-production-ai-systems/Thu, 21 Aug 2025 07:00:00 -0400https://miscreants.github.io/blog.trailofbits.com/2025/08/21/weaponizing-image-scaling-against-production-ai-systems/In this blog post, we’ll detail how attackers can exploit image scaling on Gemini CLI, Vertex AI Studio, Gemini’s web and API interfaces, Google Assistant, Genspark, and other production AI systems. We’ll also explain how to mitigate and defend against these attacks, and we’ll introduce Anamorpher, our open-source tool that lets you explore and generate these crafted images.Deceiving users with ANSI terminal codes in MCPhttps://miscreants.github.io/blog.trailofbits.com/2025/04/29/deceiving-users-with-ansi-terminal-codes-in-mcp/Tue, 29 Apr 2025 09:00:00 -0400https://miscreants.github.io/blog.trailofbits.com/2025/04/29/deceiving-users-with-ansi-terminal-codes-in-mcp/This post describes attacks using ANSI terminal code escape sequences to hide malicious instructions to the LLM, leveraging the line jumping vulnerability we discovered in MCP.How MCP servers can steal your conversation historyhttps://miscreants.github.io/blog.trailofbits.com/2025/04/23/how-mcp-servers-can-steal-your-conversation-history/Wed, 23 Apr 2025 10:30:00 -0400https://miscreants.github.io/blog.trailofbits.com/2025/04/23/how-mcp-servers-can-steal-your-conversation-history/Malicious MCP servers can inject trigger phrases into tool descriptions to exfiltrate entire conversation histories and steal sensitive credentials and IP.Jumping the line: How MCP servers can attack you before you ever use themhttps://miscreants.github.io/blog.trailofbits.com/2025/04/21/jumping-the-line-how-mcp-servers-can-attack-you-before-you-ever-use-them/Mon, 21 Apr 2025 10:30:00 -0400https://miscreants.github.io/blog.trailofbits.com/2025/04/21/jumping-the-line-how-mcp-servers-can-attack-you-before-you-ever-use-them/MCP’s ’line jumping’ vulnerability lets malicious servers inject prompts through tool descriptions to manipulate AI behavior before tools are ever invoked.