Experts at Trail of Bits have developed a new type of attack that enables the theft of user data by embedding malicious prompts into images, invisible to the human eye.
The attack relies on high-resolution images onto which human-invisible prompts are embedded. The malicious prompts only manifest when the image’s quality and dimensions are reduced using resampling algorithms.
The new method proposed by Trail of Bits specialists Kikimora Morozova (Kikimora Morozova) and Suha Sabi Hussain (Suha Sabi Hussain) is based on the theory described in a talk at the USENIX 2020 conference by researchers from the Technical University of Braunschweig. They studied the feasibility of attacks leveraging image scaling in the context of machine learning.
When users upload images to AI systems, the systems automatically downscale them, reducing quality to improve performance and reduce costs.
Depending on the specific system, image resampling algorithms can simplify the image using nearest-neighbor, bilinear, or bicubic interpolation. All these methods produce artifacts, which can cause hidden patterns to appear in the downscaled image if the original picture was prepared accordingly.
In Trail of Bits’ example, certain dark regions of the malicious image turn red when bicubic interpolation is used during image processing, allowing the hidden text to appear.
The AI model interprets this text as part of the user’s prompt and automatically combines the text from the image with the legitimate instructions.
Although nothing seems suspicious from the user’s perspective, in practice the AI model executes hidden instructions that can lead to data leaks and other dangerous consequences.
Thus, in the case of the Gemini CLI, the researchers were able to exfiltrate Google Calendar data by sending it to an arbitrary email address, using the Zapier MCP with the parameter trust=True to approve tool calls without user confirmation.
Experts emphasize that such an attack must be tailored for each AI model depending on the image processing algorithm used. However, the researchers confirmed that such attacks work against Google Gemini CLI, Vertex AI Studio (with a Gemini backend), in the Gemini web interface, via the Gemini API through the LLM CLI, in Google Assistant on an Android smartphone, as well as in Genspark.
As part of this research, Trail of Bits developed and released an open-source tool called Anamorpher, which can create malicious images for each of the aforementioned processing methods.
To protect against such attacks, the researchers recommend that AI system developers enforce size limits when uploading images. If reducing the image size is truly necessary, it’s recommended to provide users with a preview of the result. The experts also advise requesting explicit user confirmation for potentially risky operations, especially if text is detected in the image.
“However, the most effective defense is implementing secure design patterns and systematic safeguards that prevent dangerous prompt injections—not just multimodal prompt injections,” the researchers say, citing a paper published in June 2025 on building LLMs resilient to prompt-injection attacks.
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →