Prompt injection and multimodal 'promptware' attacks against LLM-based systems
Security researchers and commentators warned that attacks on LLM-based systems are evolving beyond simple “prompt injection” into a broader execution mechanism dubbed promptware, with a proposed seven-step promptware kill chain to describe how malicious instructions enter and propagate through AI-enabled applications. The core risk highlighted is architectural: LLMs treat system instructions, user input, and retrieved content as a single token stream, enabling indirect prompt injection where hostile instructions are embedded in external data sources (web pages, emails, shared documents) that an LLM ingests at inference time; the attack surface expands further as models become multimodal, allowing instructions to be hidden in images or audio.
Related academic work demonstrated a concrete multimodal variant against embodied AI using large vision-language models: CHAI (Command Hijacking Against Embodied AI), which embeds deceptive natural-language instructions into visual inputs (e.g., road signs) to influence agent behavior in scenarios including drone emergency landing, autonomous driving, and object tracking, reportedly outperforming prior attacks in evaluations. Separately, reporting on a viral “AI caricature” social-media trend framed the risk as downstream social engineering and potential LLM account takeover leading to exposure of prompt histories and employer-sensitive data; while largely hypothetical, it underscores how widespread consumer LLM use and public oversharing can increase the likelihood and impact of prompt-driven compromise paths.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Lawfare outlines a broader 'promptware kill chain' for LLM attacks
A Lawfare analysis argued that so-called prompt injection should be understood as a broader malware-like execution mechanism called 'promptware' and proposed a seven-stage kill chain for LLM and agent compromises. It cited prior demonstrations involving a malicious Google Calendar invite and an email-borne self-replicating prompt as examples of multistage compromise and recommended defense-in-depth rather than assuming prompt injection can be fully fixed.
Researchers introduce CHAI attacks against embodied AI systems
Academic research described a new attack class called Command Hijacking Against Embodied AI (CHAI), which embeds deceptive natural-language instructions in visual inputs such as road signs to manipulate LVLM-driven agents. The work reported tests against multiple embodied AI scenarios, including autonomous driving, drone emergency landing, aerial tracking, and a real robotic vehicle.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Prompt Injection Risks Expand From LLMs to Embodied AI via Environmental Text
Researchers and security commentators warned that **prompt injection** remains a fundamental weakness in today’s large language models (LLMs), where carefully crafted inputs can override guardrails and elicit restricted actions or sensitive data. Bruce Schneier described prompt injection as an inherent, open-ended attack surface—ranging from obvious “ignore previous instructions” phrasing to more indirect techniques such as embedding malicious instructions in *ASCII art* or in text rendered inside images—arguing that point fixes for individual tricks do not provide universal protection with current LLM approaches. New academic work highlighted that the same class of failures can extend into the physical world for **embodied AI** (e.g., robots, autonomous vehicles) through “**environmental indirect prompt injection**,” where misleading text placed on signs, posters, or objects is ingested by vision-language perception systems and treated as actionable instructions, potentially influencing real-world behavior. A separate TechXplore piece focused more broadly on *responsible/ethical AI* practices in industry (an interview format) and did not materially add technical detail on prompt injection or a specific security incident, making it less relevant to the core story about prompt-injection-driven hijacking risks and emerging attack pathways.
Mar 21, 2026
Prompt Injection Attacks and Security Challenges in AI Systems
Prompt injection has emerged as a critical security concern in the deployment of large language models (LLMs) and AI agents, with attackers exploiting the way these systems interpret and execute instructions. Security researchers have drawn parallels between prompt injection and earlier vulnerabilities like SQL injection, highlighting its potential to undermine the intended behavior of AI models. Prompt injection involves manipulating the input prompts to override or bypass the system-level instructions set by developers, leading to unauthorized actions or data leakage. The attack surface is broad, as LLMs are increasingly integrated into applications and workflows, making them attractive targets for adversaries. Multiple organizations, including OpenAI, Microsoft, and Anthropic, have initiated efforts to address prompt injection, but the problem remains unsolved due to the complexity and adaptability of AI models. Real-world demonstrations have shown that prompt injection can be used to break out of agentic applications, bypass browser security rules, and even persistently compromise AI systems through mechanisms like memory manipulation. Security conferences such as BlackHat USA 2024 have featured research on exploiting AI-powered tools like Microsoft 365 Copilot, where attackers can escalate privileges or exfiltrate data by crafting malicious prompts or leveraging markdown image vectors. Researchers have also identified that AI agents can be tricked into ignoring browser security policies, such as CORS, leading to potential cross-origin data leaks. Defensive measures, such as intentionally limiting AI capabilities or implementing stricter input filtering, have been adopted by some vendors, but these often come at the cost of reduced functionality. The security community is actively developing standards, such as the OWASP Agent Observability Standard, to improve monitoring and detection of prompt injection attempts. Despite these efforts, adversaries continue to find novel ways to exploit prompt injection, including dynamic manipulation of tool descriptions and bypassing image filtering mechanisms. The rapid evolution of AI technologies and the proliferation of agentic applications have made it challenging to keep pace with emerging threats. Security researchers emphasize the need for ongoing vigilance, robust testing, and collaboration across the industry to mitigate the risks associated with prompt injection. The use of AI in sensitive environments, such as enterprise productivity suites and web browsers, amplifies the potential impact of successful attacks. As AI adoption accelerates, organizations must prioritize understanding and defending against prompt injection to safeguard their systems and data. The ongoing research and public disclosures serve as a call to action for both developers and defenders to address this evolving threat landscape.
Mar 21, 2026
Indirect Prompt Injection and AI Agent Abuse Expands Real-World Attack Surface
Security researchers and industry reporting describe **prompt injection—especially web-based indirect prompt injection (IDPI)**—as an increasingly practical technique for compromising or manipulating **LLM-powered agents** embedded in browsers and automated content pipelines. Palo Alto Networks Unit 42 reported in-the-wild IDPI activity where malicious instructions are hidden in web content that an agent later ingests, with observed objectives including **AI-based ad review evasion** and **SEO manipulation** that promotes phishing infrastructure. Separately, Zenity Labs detailed a now-patched issue in Perplexity’s *Comet* AI browser where attackers could embed instructions in a **calendar invite** to coerce the agent into accessing `file://` resources and potentially pivoting into sensitive data such as an unlocked **1Password** extension vault, illustrating how agentic tooling can bypass traditional browser-origin assumptions. Threat reporting also shows adversaries operationalizing AI to scale exploitation. Team Cymru linked an AI-assisted Fortinet FortiGate targeting campaign (previously reported by Amazon Threat Intelligence as compromising **600+ devices across 55 countries** using services like **Claude** and **DeepSeek**) to use of **CyberStrikeAI**, an open-source Go-based platform that integrates 100+ security tools and was observed from multiple IPs (primarily hosted in China/Singapore/Hong Kong, with additional infrastructure elsewhere). Multiple commentaries and briefings emphasize that conventional “filter the prompt” defenses are insufficient because LLMs lack a native separation between instructions and data; they call for **defense-in-depth** around AI pipelines, including least-privilege agent permissions, auditable tool use, and stronger identity/workload controls as agent deployments multiply. Several items in the set are unrelated (geopolitical cyber activity, workforce/culture pieces, jobs, and product/market commentary) and do not materially inform the prompt-injection/agent-abuse story.
Mar 21, 2026