AI browsers indirect prompt injection via URL fragments HashJack security flaw
Vulnerability
Summary
Hide ▲
Show ▼
HashJack is an indirect prompt injection vulnerability in AI browsers that hides attacker instructions after the # symbol in legitimate URLs, letting a normal-looking link manipulate the assistant into unsafe actions. The issue affected Comet, Copilot for Edge, and Gemini for Chrome; by November 25, fixes had been applied to Comet and Copilot for Edge, while Gemini for Chrome remained unresolved. Researchers said the technique could enable callback phishing, data exfiltration, misinformation injection, malicious downloads, opening ports, and credential theft, and that ordinary server-side and network defenses do not see the fragment payload.
Related Happenings
Search for perplexity ai malicious Chrome extension
Malware Activity
H score29
First: 29.06.2026 21:40
Last: 29.06.2026 21:40
Sources 1
About this happening:
A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Search for perplexity ai malicious Chrome extension
Malware ActivityAbout this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
LayerX BioShocking prompt injection against agentic browsers
Technical Analysis
H score30
First: 24.06.2026 19:05
Last: 24.06.2026 19:05
Sources 1
About this happening:
Researchers demonstrated **BioShocking**, a prompt-injection technique that pushed **six agentic browsers and plugins** past guardrails and made them **copy login credentials** fo...
LayerX BioShocking prompt injection against agentic browsers
Technical AnalysisAbout this happening: Researchers demonstrated **BioShocking**, a prompt-injection technique that pushed **six agentic browsers and plugins** past guardrails and made them **copy login credentials** fo...
OpenAI ChatGPT renderer Markdown link/image phishing security flaw
Vulnerability
H score16
First: 29.05.2026 21:07
Last: 29.05.2026 21:07
Sources 1
About this happening:
**ChatGPT** has a **response-renderer vulnerability** that turns summarized third-party pages into **live phishing links** and auto-fetched **attacker-hosted images** inside the t...
OpenAI ChatGPT renderer Markdown link/image phishing security flaw
VulnerabilityAbout this happening: **ChatGPT** has a **response-renderer vulnerability** that turns summarized third-party pages into **live phishing links** and auto-fetched **attacker-hosted images** inside the t...
Torg Grabber browser-extension theft activity
Malware Activity
H score36
First: 25.03.2026 20:32
Last: 25.03.2026 20:32
Sources 1
About this happening:
The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
Torg Grabber browser-extension theft activity
Malware ActivityAbout this happening: The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
VoidStealer debugger-based ABE-bypass infostealer
Malware Activity
H score29
First: 22.03.2026 16:32
Last: 22.03.2026 16:32
Sources 1
About this happening:
**VoidStealer** now uses a **debugger-based ABE bypass** to steal **Chrome** master keys, increasing the risk of browser credential and sensitive-data theft. The infostealer can e...
VoidStealer debugger-based ABE-bypass infostealer
Malware ActivityAbout this happening: **VoidStealer** now uses a **debugger-based ABE bypass** to steal **Chrome** master keys, increasing the risk of browser credential and sensitive-data theft. The infostealer can e...
Timeline
-
26.11.2025 12:15 2 articles · 7mo ago
HashJack fixes applied to Comet and Copilot for Edge
Mitigation Patch UpdatePerplexity and Microsoft had applied fixes for Comet and Copilot for Edge by November 25, while Gemini for Chrome remained unresolved for HashJack, the indirect prompt injection that hides malicious instructions in the text after the # symbol in legitimate URLs.
Show sources
- HashJack Indirect Prompt Injection Weaponizes Websites — www.infosecurity-magazine.com — 26.11.2025 12:15
- Zero-Click Agentic Browser Attack Can Delete Entire Google Drive Using Crafted Emails — thehackernews.com — 05.12.2025 19:53
-
26.11.2025 12:15 2 articles · 7mo ago
Security researchers disclose HashJack indirect prompt injection
Initial DisclosureSecurity researchers disclosed HashJack as a new indirect prompt injection vulnerability that tricks AI browsers such as Comet, Copilot for Edge and Gemini for Chrome by hiding malicious instructions in URL fragments after the # symbol. The technique can support callback phishing, data exfiltration, misinformation injection, malicious downloads, opening ports and credential theft, while traditional network and server defenses like intrusion detection systems do not see the fragment payload.
Show sources
- HashJack Indirect Prompt Injection Weaponizes Websites — www.infosecurity-magazine.com — 26.11.2025 12:15
- HashJack Indirect Prompt Injection Weaponizes Websites — www.infosecurity-magazine.com — 26.11.2025 12:15