AI-GROK-BANKR-WALLET-2026

Presented at Black Hat USA 2025 and DEF CON 33 and published August 6, 2025 by SafeBreach researchers Ben Nassi, Stav Cohen and Or Yair, this indirect prompt injection (dubbed 'promptware') hijacks Google Gemini through poisoned Google Calendar invites, emails and shared documents. An attacker sends the victim a calendar invite whose title contains hidden instructions; the malicious text sits unnoticed because long event lists hide entries behind a 'Show more' control yet still enter Gemini's context. When the victim later asks Gemini a routine request such as summarizing their schedule, the agent ingests the attacker's calendar data as trusted context and executes the embedded directives, abusing Gemini's connected agents and tool permissions. Demonstrated real-world effects included controlling Google Home smart devices to open windows, turn off lights and activate a boiler, plus geolocating the victim, starting a Zoom video stream, deleting calendar events and exfiltrating email content. The researchers privately disclosed to Google in February 2025, and Google deployed layered mitigations including user confirmations, URL sanitization and prompt-injection detection before publication.

Disclosed on September 25, 2025 by Noma Security, ForcedLeak is a CVSS 9.4 indirect prompt-injection chain in Salesforce Agentforce affecting organizations with Web-to-Lead enabled. An attacker submits a public Web-to-Lead form and plants hidden instructions in the Description field, chosen because its roughly 42,000-character limit allows complex multi-step directives. When an employee later asks the Agentforce AI agent to process or summarize that lead, the agent ingests the attacker-controlled text as part of its context and executes the embedded commands, querying and reading internal CRM data such as lead email addresses and other contact and sales-pipeline information. The agent then exfiltrates the harvested data by embedding it in an image or link request to an expired Salesforce-related domain that remained on the Content Security Policy allow-list and was re-registered by researchers for about $5, bypassing egress controls. Salesforce remediated it on September 8, 2025 by re-securing the expired domain and enforcing Trusted URLs for Agentforce and Einstein AI; no CVE was assigned because the issue did not stem from a software version flaw.

In 2025 Cybernews researchers disclosed that Lenovo's GPT-4-based customer-service chatbot 'Lena' could be turned into a cross-site scripting vector through a single prompt injection. A roughly 400-character prompt opened with a normal product question, then instructed the bot to format its reply as HTML and to include an image tag whose source pointed at an attacker-controlled server, insisting the image must be shown. Because the chatbot's output was rendered in the browser without sanitization or output encoding, the untrusted instruction flowed straight into live HTML, and the forced image request caused the victim's browser to call the attacker server and leak active session cookies. The impact extended to support staff: when a chat was escalated, the human agent's workstation rendered the stored malicious HTML, exposing the agent's session and enabling potential session hijacking, redirects, or malware prompts. Cybernews reported finding the flaw on July 22, 2025; Lenovo acknowledged it on August 6, 2025 and deployed fixes by August 18, 2025. The root cause was treating model output as trusted markup and rendering it without filtering.

Coding agents that autonomously read project and external content are vulnerable to indirect prompt injection, where hidden instructions placed in untrusted material the agent ingests hijack its behavior. The injection surface is broad: a poisoned README, source-code comment, GitHub issue or PR comment, a dependency's files, a fetched web page, or an MCP tool description, with instructions often concealed using invisible Unicode characters so a human reviewer never sees them, as Pillar Security demonstrated with the 'Rules File Backdoor' technique. Because the agent cannot distinguish trusted developer instructions from attacker text in the data it processes, the injected commands can direct it to insert a backdoor, weaken security controls, exfiltrate secrets, or run shell/MCP commands. Johann Rehberger (Embrace The Red) proved the data-exfiltration variant in Cursor with CVE-2025-54132 (disclosed June 30, 2025, fixed in v1.3): a comment-embedded payload made Cursor render a Mermaid diagram containing an attacker image URL, auto-firing an outbound request that leaked API keys and agent memory without confirmation. When the developer merges or runs the agent's resulting output unmonitored, the attacker-controlled changes land directly in the codebase or on the developer's machine.

MCP tool poisoning is a supply-chain prompt-injection class in which a malicious Model Context Protocol server embeds hidden directives inside a tool's description metadata. Because MCP clients feed the full tool description into the model's context but typically render only a simplified tool name to the user, the model reads attacker instructions (often wrapped in tags like IMPORTANT) that the human never sees. Invariant Labs disclosed this on April 1, 2025, demonstrating that merely connecting a server lets a benign-looking add() tool silently instruct the agent to read files such as ~/.cursor/mcp.json and ~/.ssh/id_rsa and exfiltrate them through innocuous-seeming parameters; this also enables 'line jumping' (Trail of Bits), where the description influences the model before any tool is invoked, and 'rug pull' variants that mutate a tool's description after the user has already approved it. The class maps to OWASP LLM01:2025 Prompt Injection and the LLM03 supply-chain risk.

Excessive agency is the class of vulnerabilities where an LLM agent is granted broad tool or function access (file system, shell, email send, database writes, payments) and acts on manipulated model output without per-action authorization, turning any successful prompt injection into real damaging actions. OWASP LLM06:2025 (published November 17, 2024) decomposes the root causes into excessive functionality (extensions exposing more than needed, e.g. a doc-reader tool that can also delete), excessive permissions (downstream credentials with UPDATE/INSERT/DELETE when only SELECT is required), and excessive autonomy (high-impact operations executed without confirmation). The canonical exploit chain is an indirect prompt injection inside an incoming email that drives the agent to scan the inbox for sensitive data and forward it to the attacker, because the agent has both send-mail capability and standing authority to act. The class maps to OWASP LLM06:2025 Excessive Agency.