AI systems vulnerable to data-theft via hidden prompts in downscaled images
Summary
Hide â˛
Show âŧ
Researchers at Trail of Bits have demonstrated a new attack method that exploits image downscaling in AI systems to steal user data. The attack injects hidden prompts in full-resolution images that become visible when the images are resampled to lower quality. These prompts are interpreted by AI models as user instructions, potentially leading to data leakage or unauthorized actions. The vulnerability affects multiple AI systems, including Google Gemini CLI, Vertex AI Studio, Google Assistant on Android, and Genspark. The attack works by embedding instructions in images that are only revealed when the images are downscaled using specific resampling algorithms. The AI model then interprets these hidden instructions as part of the user's input, executing them without the user's knowledge. The researchers have developed an open-source tool, Anamorpher, to create images for testing this vulnerability. To mitigate the risk, Trail of Bits recommends implementing dimension restrictions on image uploads, providing users with previews of downscaled images, and requiring explicit user confirmation for sensitive tool calls.
Timeline
-
26.08.2025 00:34 đ° 2 articles
New AI attack hides data-theft prompts in downscaled images
Researchers at Trail of Bits have demonstrated a new attack method that exploits image downscaling in AI systems to steal user data. The attack injects hidden prompts in full-resolution images that become visible when the images are resampled to lower quality. These prompts are interpreted by AI models as user instructions, potentially leading to data leakage or unauthorized actions. The vulnerability affects multiple AI systems, including Google Gemini CLI, Vertex AI Studio, Google Assistant on Android, and Genspark. The attack can be executed without the victim seeing the rescaled image, making it harder to detect. The article also reiterates the importance of the open-source tool, Anamorpher, which can be used by other researchers to craft and visualize image scaling attacks against AI systems.
Show sources
- New AI attack hides data-theft prompts in downscaled images â www.bleepingcomputer.com â 26.08.2025 00:34
- AI Systems Vulnerable to Prompt Injection via Image Scaling Attack â www.securityweek.com â 26.08.2025 13:19
Information Snippets
-
The attack exploits the downscaling process in AI systems, where images are resampled to lower quality.
First reported: 26.08.2025 00:34đ° 2 sources, 2 articlesShow sources
- New AI attack hides data-theft prompts in downscaled images â www.bleepingcomputer.com â 26.08.2025 00:34
- AI Systems Vulnerable to Prompt Injection via Image Scaling Attack â www.securityweek.com â 26.08.2025 13:19
-
Hidden prompts in full-resolution images become visible when the images are downscaled using algorithms like nearest neighbor, bilinear, or bicubic interpolation.
First reported: 26.08.2025 00:34đ° 2 sources, 2 articlesShow sources
- New AI attack hides data-theft prompts in downscaled images â www.bleepingcomputer.com â 26.08.2025 00:34
- AI Systems Vulnerable to Prompt Injection via Image Scaling Attack â www.securityweek.com â 26.08.2025 13:19
-
The AI model interprets the hidden text as part of the user's instructions, potentially leading to data leakage or unauthorized actions.
First reported: 26.08.2025 00:34đ° 2 sources, 2 articlesShow sources
- New AI attack hides data-theft prompts in downscaled images â www.bleepingcomputer.com â 26.08.2025 00:34
- AI Systems Vulnerable to Prompt Injection via Image Scaling Attack â www.securityweek.com â 26.08.2025 13:19
-
The vulnerability affects multiple AI systems, including Google Gemini CLI, Vertex AI Studio, and Google Assistant on Android.
First reported: 26.08.2025 00:34đ° 2 sources, 2 articlesShow sources
- New AI attack hides data-theft prompts in downscaled images â www.bleepingcomputer.com â 26.08.2025 00:34
- AI Systems Vulnerable to Prompt Injection via Image Scaling Attack â www.securityweek.com â 26.08.2025 13:19
-
The researchers have developed an open-source tool, Anamorpher, to create images for testing this vulnerability.
First reported: 26.08.2025 00:34đ° 2 sources, 2 articlesShow sources
- New AI attack hides data-theft prompts in downscaled images â www.bleepingcomputer.com â 26.08.2025 00:34
- AI Systems Vulnerable to Prompt Injection via Image Scaling Attack â www.securityweek.com â 26.08.2025 13:19
-
Mitigation strategies include implementing dimension restrictions on image uploads, providing users with previews of downscaled images, and requiring explicit user confirmation for sensitive tool calls.
First reported: 26.08.2025 00:34đ° 1 source, 1 articleShow sources
- New AI attack hides data-theft prompts in downscaled images â www.bleepingcomputer.com â 26.08.2025 00:34
Similar Happenings
Cursor AI editor autoruns malicious code in repositories
A flaw in the Cursor AI editor allows malicious code in repositories to autorun on developer devices. This vulnerability can lead to malware execution, environment hijacking, and credential theft. The issue arises from Cursor disabling the Workspace Trust feature from VS Code, which prevents automatic task execution without explicit user consent. The flaw affects one million users who generate over a billion lines of code daily. The Cursor team has decided not to fix the issue, citing the need to maintain AI and other features. They recommend users enable Workspace Trust manually or use basic text editors for unknown projects. The flaw is part of a broader trend of prompt injections and jailbreaks affecting AI-powered coding tools.
SVG Files Used to Deploy Phishing Pages in Colombian Judicial System Impersonation Campaign
A malware campaign leveraging SVG files to deploy Base64-encoded phishing pages impersonating the Colombian judicial system has been identified. The SVG files, distributed via email, execute JavaScript payloads to inject phishing pages and download ZIP archives. The campaign involves 523 unique SVG files that have evaded detection by antivirus engines. The earliest sample dates back to August 14, 2025. The campaign highlights the evolving tactics used by threat actors to bypass security measures and target macOS systems with information stealers like Atomic macOS Stealer (AMOS). This campaign also coincides with broader trends in cyber threats targeting macOS and gamers.
HexStrike AI Exploits Citrix Vulnerabilities Disclosed in August 2025
Threat actors have begun using HexStrike AI to exploit Citrix vulnerabilities disclosed in August 2025. HexStrike AI, an AI-driven security platform, was designed to automate reconnaissance and vulnerability discovery for authorized red teaming operations, but it has been repurposed for malicious activities. The exploitation attempts target three Citrix vulnerabilities, with some threat actors offering access to vulnerable NetScaler instances for sale on darknet forums. The use of HexStrike AI by threat actors significantly reduces the time between vulnerability disclosure and exploitation, increasing the risk of widespread attacks. The tool's automation capabilities allow for continuous exploitation attempts, enhancing the likelihood of successful breaches. Security experts emphasize the urgency of patching and hardening affected systems to mitigate the risks posed by this AI-driven threat. HexStrike AI's client features a retry logic and recovery handling to mitigate the effects of failures in any individual step on its complex operations. HexStrike AI has been open-source and available on GitHub for the last month, where it has already garnered 1,800 stars and over 400 forks. Hackers started discussing HexStrike AI on hacking forums within hours of the Citrix vulnerabilities disclosure. HexStrike AI has been used to automate the exploitation chain, including scanning for vulnerable instances, crafting exploits, delivering payloads, and maintaining persistence. Check Point recommends defenders focus on early warning through threat intelligence, AI-driven defenses, and adaptive detection.
AI-Driven Ransomware Strain PromptLock Discovered
A new ransomware strain named PromptLock has been identified by ESET researchers. This strain leverages AI to generate malicious scripts in real-time, making it more difficult to detect and defend against. PromptLock is currently in development and has not been observed in active attacks. It can exfiltrate files, encrypt data, and is being upgraded to destroy files. The ransomware uses the gpt-oss:20b model from OpenAI via the Ollama API and is written in Go, targeting Windows, Linux, and macOS systems. The Bitcoin address associated with PromptLock appears to belong to Satoshi Nakamoto. PromptLock uses Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption. The ransomware can generate custom ransom notes based on the type of infected machine and uses the SPECK 128-bit encryption algorithm to lock files. PromptLock is assessed to be a proof-of-concept (PoC) rather than a fully operational malware deployed in the wild.
Critical gaps in SIEM detection capabilities revealed by Picus Blue Report 2025
The Picus Blue Report 2025, based on over 160 million real-world attack simulations, reveals that organizations are only detecting 1 out of 7 simulated attacks. This indicates significant gaps in threat detection and response capabilities. The report highlights several core issues affecting SIEM rule effectiveness, including log collection failures, misconfigured detection rules, and performance issues. These problems lead to a false sense of security, as many threats go undetected, leaving networks vulnerable to compromise. The report emphasizes the need for continuous validation of SIEM rules to ensure they remain effective against evolving threats. Regular testing and simulation of real-world attacks are crucial for identifying and addressing detection gaps.