Cybersecurity researchers at Trail of Bits have uncovered a sneaky new corruption vector: malicious instructions embedded in images served by AI chatbots (LLMs). These prompts are invisible to the human eye but become legible to AI models after processing.
The method exploits the way some AI platforms downscale images—for efficiency and performance. During this bicubic interpolation, hidden black text layered onto an image becomes readable, effectively exposing the concealed commands.
Hackers can use this tactic to deliver covert commands or malicious prompts. While the original image appears innocuous, once resized by the AI for analysis, the hidden instructions emerge—potentially allowing the AI to execute unintended or dangerous actions.
What’s especially concerning is the exploitation of legitimate AI workflows. The resizing is a routine process meant to optimize performance or adapt images for analysis—making this an insidious vulnerability that’s hard to detect at a glance.
This discovery reveals a wider issue with multimodal AI systems—those that handle text, audio, and images together. Visual channels can serve as a novel and underappreciated conduit for hidden prompts.
Efforts to flag and prevent such attacks are evolving, but the complexity of multimodal input opens a broader attack surface. Organizations integrating AI into real-world applications must remain on guard and update security practices accordingly.
Ultimately, the Trail of Bits team’s research is a stark warning: as AI becomes more capable and integrated, so too does the ingenuity of those seeking to subvert it. Vigilance, layered defenses, and thoughtful design are more critical than ever.
source: Hackers Exploit Sitecore Zero-Day for Malware Delivery
Viewpoint
This latest attack vector is a chilling example of side-channel exploitation in AI—the same way power usage or timing patterns can leak secrets, here the resizing process is the leaky conduit. What’s especially alarming is how this bypasses typical content filtering: to the naked eye, the image is benign; to the AI, it becomes a Trojan.
Given how prevalent AI tools are becoming—from virtual assistants to diagnostic aides in healthcare—these weaknesses aren’t just theoretical. Any system that processes user-supplied images is potentially exposed. This underscores the need for robust sanitization pipelines that analyze not just the content, but the transformations applied by AI systems.
Moreover, multimodal AI means multimodal vulnerabilities. Researchers and developers must expand their threat models beyond traditional text-based prompt injection and consider every data channel. Techniques like metadata checks, manual image audits, and thorough testing of preprocessing tools should become standard.
Ultimately, this attack emphasizes that convenience must not outpace safety. AI systems must be built with intentional defenses against these emergent threats. Lessons learned today will shape more secure foundations for tomorrow.
OWASP LLM01:2025 Prompt Injection
DISC InfoSec previous posts on AI category
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services | Mergers and Acquisition Security
