Experts at Trail of Bits have developed a new type of attack that enables the theft of user data by embedding malicious prompts into images, invisible to the human eye.
The attack relies on high-resolution images onto which human-invisible prompts are embedded. The malicious prompts only manifest when the image’s quality and dimensions are reduced using resampling algorithms.
The new method proposed by Trail of Bits specialists Kikimora Morozova (Kikimora Morozova) and Suha Sabi Hussain (Suha Sabi Hussain) is based on the theory described in a talk at the USENIX 2020 conference by researchers from the Technical University of Braunschweig. They studied the feasibility of attacks leveraging image scaling in the context of machine learning.
When users upload images to AI systems, the systems automatically downscale them, reducing quality to improve performance and reduce costs.
Depending on the specific system, image resampling algorithms can simplify the image using nearest-neighbor, bilinear, or bicubic interpolation. All these methods produce artifacts, which can cause hidden patterns to appear in the downscaled image if the original picture was prepared accordingly.
In Trail of Bits’ example, certain dark regions of the malicious image turn red when bicubic interpolation is used during image processing, allowing the hidden text to appear.
The AI model interprets this text as part of the user’s prompt and automatically combines the text from the image with the legitimate instructions.
Although nothing seems suspicious from the user’s perspective, in practice the AI model executes hidden instructions that can lead to data leaks and other dangerous consequences.
Thus, in the case of the Gemini CLI, the researchers were able to exfiltrate Google Calendar data by sending it to an arbitrary email address, using the Zapier MCP with the parameter trust=True to approve tool calls without user confirmation.
Experts emphasize that such an attack must be tailored for each AI model depending on the image processing algorithm used. However, the researchers confirmed that such attacks work against Google Gemini CLI, Vertex AI Studio (with a Gemini backend), in the Gemini web interface, via the Gemini API through the LLM CLI, in Google Assistant on an Android smartphone, as well as in Genspark.
As part of this research, Trail of Bits developed and released an open-source tool called Anamorpher, which can create malicious images for each of the aforementioned processing methods.
To protect against such attacks, the researchers recommend that AI system developers enforce size limits when uploading images. If reducing the image size is truly necessary, it’s recommended to provide users with a preview of the result. The experts also advise requesting explicit user confirmation for potentially risky operations, especially if text is detected in the image.
“However, the most effective defense is implementing secure design patterns and systematic safeguards that prevent dangerous prompt injections—not just multimodal prompt injections,” the researchers say, citing a paper published in June 2025 on building LLMs resilient to prompt-injection attacks.