{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/ai-systems/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Gemini","Claude","Kubernetes AI Applications","AI agents","AI systems","language models","chatbots","browser extensions","Claude Mythos Preview"],"_cs_severities":["high"],"_cs_tags":["prompt-injection","ai","llm","ai-security","cloud","novel-technique"],"_cs_type":"advisory","_cs_vendors":["Google","Anthropic","Kubernetes"],"content_html":"\u003cp\u003eCrowdStrike's AI security research team has recently uncovered 18 new prompt injection techniques, significantly expanding their taxonomy to over 200 distinct methods observed in real-world AI systems. This development highlights the escalating sophistication of adversaries in manipulating AI agents and Large Language Models (LLMs). These advanced techniques allow attackers to bypass security mechanisms by exploiting hidden context, delayed triggers, semantic constraints, and structural cues, rather than overt jailbreaks. This can lead to AI agents being tricked into performing unauthorized actions, such as executing shell commands, exfiltrating sensitive data, or altering their internal rules. The insights are crucial for defenders as organizations increasingly adopt powerful AI agents that interact with critical resources like web pages, file stores, and internal systems, making robust AI threat modeling and red teaming essential to counter these evolving threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Crafts Malicious Prompt\u003c/strong\u003e: Adversary designs a prompt containing hidden or fragmented malicious instructions, using techniques like \u0026quot;Trigger-Activated Rule Addition,\u0026quot; \u0026quot;Cognitive Token Suppression,\u0026quot; \u0026quot;Algorithmic Payload Decomposition,\u0026quot; or \u0026quot;Special Token Injection.\u0026quot;\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDelivery via Unwitting User\u003c/strong\u003e: The malicious prompt is delivered to an AI agent, often through social engineering, where an authorized user is enticed to input the prompt into the AI system without realizing its true intent, such as copying from a compromised website or social media post.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAI Agent Processes Input\u003c/strong\u003e: The AI agent, designed to follow user instructions, processes the maliciously crafted prompt, which includes the hidden or fragmented commands.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInjection Technique Activation\u003c/strong\u003e: The embedded prompt injection technique successfully manipulates the AI's internal logic, causing it to misinterpret or prioritize the attacker's directives over its safety guidelines or original instructions. For example, a hidden rule is activated, or safety-related tokens are suppressed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Tool Call/Action\u003c/strong\u003e: The compromised AI agent initiates an unauthorized action based on the injected instructions, such as making tool calls to \u003ccode\u003eexecute_sql_query\u003c/code\u003e, generating unexpected responses, or attempting to write shell commands.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration or Impact\u003c/strong\u003e: The AI agent, under the attacker's control, exfiltrates sensitive data (e.g., forwarding emails to \u003ccode\u003eanon@evilcorp.corp\u003c/code\u003e), modifies system configurations, or performs other actions impacting confidentiality, integrity, or availability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe described prompt injection techniques enable adversaries to achieve significant impact on organizations leveraging AI agents. If successful, these attacks can lead to unauthorized data exfiltration, as demonstrated by the example of emails being duplicated and forwarded to attacker-controlled addresses. AI agents could be coerced into executing arbitrary shell commands, granting attackers remote code execution capabilities on underlying infrastructure. Furthermore, the manipulation of AI agents could result in the bypass of security controls, altered system behavior, and the generation of misleading or harmful content, leading to reputational damage, financial loss, and compromise of critical systems. These attacks target any organization integrating AI agents with access to internal systems or sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize comprehensive AI threat modeling that accounts for all potential sources of model context, including prompts, files, RAG pipelines, and external APIs.\u003c/li\u003e\n\u003cli\u003eEnhance AI red teaming exercises to include advanced prompt injection techniques such as boundary mimicry, indirect injection, and delayed activation, beyond simple jailbreaking attempts.\u003c/li\u003e\n\u003cli\u003eConfigure AI agent logging to capture tool calls and system interactions, and deploy the provided Sigma rule to detect suspicious outbound network connections to domains like \u003ccode\u003eevilcorp.corp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of \u0026quot;Unwitting User Delivery\u0026quot; and social engineering tactics that entice them to input malicious prompts into AI systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T11:07:08Z","date_published":"2026-07-08T07:51:34Z","id":"https://feed.craftedsignal.io/briefs/2026-07-prompt-injection/","summary":"CrowdStrike's AI security research team has identified 18 new prompt injection techniques, expanding its taxonomy to over 200 methods, which enable adversaries to manipulate AI systems and agents through indirect means like hidden context, delayed triggers, and special token injection, leading to unauthorized actions such as data exfiltration or arbitrary command execution.","title":"CrowdStrike Uncovers New Prompt Injection Techniques","url":"https://feed.craftedsignal.io/briefs/2026-07-prompt-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AI systems","AI agents","chatbots","large language models","Kubernetes AI Applications","Gemini"],"_cs_severities":["high"],"_cs_tags":["prompt-injection","ai-security","llm","agentic-ai","cloud","threat-research"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eCrowdStrike's AI security research team, in July 2026, has expanded its taxonomy of prompt injection techniques by 18 new additions, now covering over 200 distinct methods adversaries are using to manipulate AI systems. These evolving techniques reflect how prompt injection attacks are manifesting in real-world AI systems, moving beyond simple jailbreaks to more sophisticated approaches. The core delivery mechanism involves indirect prompt injection, where malicious instructions are hidden within data consumed by AI agents, or through \u0026quot;Unwitting User Delivery\u0026quot; (IM0005) via social engineering. The threat matters for defenders because modern AI agents can perform sensitive actions such as crawling webpages, accessing file stores, and writing shell commands. Specific new techniques include Trigger-Activated Rule Addition (PT0201) for delayed activation, Cognitive Token Suppression (PT0197) to bypass safety mechanisms, Algorithmic Payload Decomposition (PT0200) for filter evasion, and Special Token Injection (PT0198) to confuse AI system boundaries, all aiming to hijack agent capabilities and cause further damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis brief describes new techniques for prompt injection and does not detail a specific end-to-end attack campaign from initial access to impact. The following outlines how these techniques are leveraged once an attacker introduces a malicious prompt or data to an AI system.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (via Social Engineering):\u003c/strong\u003e An adversary employs social engineering or deceptive tactics to trick an authorized user into submitting a crafted prompt, effectively turning the user into an \u0026quot;Unwitting User Delivery\u0026quot; (IM0005) vector. This can involve copying/pasting hidden commands or using compromised browser extensions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrompt Manipulation (Algorithmic Payload Decomposition):\u003c/strong\u003e The attacker fragments a malicious instruction into multiple benign-looking steps, variables, or characters. This \u0026quot;Algorithmic Payload Decomposition\u0026quot; (PT0200) technique evades immediate detection by filters.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBypass Defenses (Special Token Injection):\u003c/strong\u003e The fragmented payload or a new prompt includes \u0026quot;Special Token Injection\u0026quot; (PT0198), mimicking internal structural cues (e.g., \u003ccode\u003e\u0026lt;tool_call\u0026gt;\u003c/code\u003e) used by the AI system to differentiate system commands from user input, causing boundary confusion and elevating untrusted content.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvasion (Cognitive Token Suppression):\u003c/strong\u003e The malicious prompt attempts \u0026quot;Cognitive Token Suppression\u0026quot; (PT0197) by instructing the AI model to avoid using specific safety-related terms or refusal vocabulary, hindering its ability to generate secure responses or block the attack.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDelayed Execution (Trigger-Activated Rule Addition):\u003c/strong\u003e The attacker embeds a \u0026quot;Trigger-Activated Rule Addition\u0026quot; (PT0201) instruction into the AI's context. This instruction remains dormant until a specific trigger phrase, event, or condition occurs, at which point the AI agent begins to follow the new, malicious rule.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAction on Objectives (Execution):\u003c/strong\u003e The compromised AI agent, following the injected rules, executes unintended or malicious commands, such as an \u003ccode\u003eexecute_sql_query\u003c/code\u003e to access sensitive data, or shell commands to interact with underlying systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Data Exfiltration):\u003c/strong\u003e The AI agent, now under adversary control, proceeds to exfiltrate data, for example, by duplicating and forwarding sensitive emails to an attacker-controlled address like \u003ccode\u003eanon@evilcorp.corp\u003c/code\u003e, or by accessing and leaking internal files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe observed impact of successful prompt injection ranges from subtle manipulation of AI behavior to significant security breaches. Adversaries can hijack agent capabilities, leading to unintended actions like executing arbitrary shell commands, performing SQL injection-like queries, or accessing and exfiltrating sensitive data. This can bypass existing security rules, steer agents into unsafe actions, and result in data loss or system compromise. While specific victim counts are not provided, the techniques target general AI systems and agents, affecting any organization deploying such technologies, especially those relying on AI for critical operations or data handling.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement robust AI threat modeling that accounts for all possible origins of model context, including prompts, files, RAG pipelines, agent memory, APIs, tool outputs, browser content, emails, and SaaS data, to understand potential injection points.\u003c/li\u003e\n\u003cli\u003eConduct targeted AI red teaming exercises that go beyond simple \u0026quot;ignore previous instructions\u0026quot; and incorporate boundary mimicry, indirect injection, and delayed activation scenarios, as described by techniques like PT0198 and PT0201.\u003c/li\u003e\n\u003cli\u003eMonitor for and block outbound network connections from AI systems or agents to suspicious domains, such as \u003ccode\u003eevilcorp.corp\u003c/code\u003e, which was identified as an exfiltration target in an example for the IM0005 technique.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of \u0026quot;Unwitting User Delivery\u0026quot; (IM0005) by training them to recognize and avoid deceptive tactics that could lead to submitting malicious prompts.\u003c/li\u003e\n\u003cli\u003eDeploy specialized AI security solutions capable of analyzing and detecting fragmented (PT0200), suppressed (PT0197), or specially tokenized (PT0198) instructions within prompts before they are processed by AI models.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T06:05:47Z","date_published":"2026-07-08T06:05:47Z","id":"https://feed.craftedsignal.io/briefs/2026-07-crowdstrike-prompt-injection/","summary":"CrowdStrike's AI security research team has identified 18 new prompt injection techniques, expanding its taxonomy to over 200 methods, which adversaries can use to manipulate AI systems and agents through hidden context, delayed triggers, semantic constraints, boundary spoofing, and social engineering, potentially leading to agent hijacking, data exfiltration, or system compromise by causing them to execute unintended commands like shell scripts or SQL queries.","title":"CrowdStrike Uncovers New Prompt Injection Techniques","url":"https://feed.craftedsignal.io/briefs/2026-07-crowdstrike-prompt-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - AI Systems","version":"https://jsonfeed.org/version/1.1"}