<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Artificial-Intelligence - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/artificial-intelligence/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 19:29:24 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/artificial-intelligence/feed.xml" rel="self" type="application/rss+xml"/><item><title>New Prompt Injection Techniques Targeting AI Systems and Agents</title><link>https://feed.craftedsignal.io/briefs/2026-07-new-prompt-injection-techniques/</link><pubDate>Tue, 07 Jul 2026 19:29:24 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-new-prompt-injection-techniques/</guid><description>Adversaries are leveraging new prompt injection techniques such as Trigger-Activated Rule Addition (PT0201), Algorithmic Payload Decomposition (PT0200), and Special Token Injection (PT0198) to manipulate AI models like Gemini and Claude, enabling them to hijack AI capabilities, bypass controls, and execute unauthorized commands through deceptive input, including via unwitting users (IM0005).</description><content:encoded><![CDATA[<p>CrowdStrike has identified 18 new prompt injection techniques, expanding its taxonomy to over 200 distinct methods, which are being exploited by adversaries to manipulate advanced AI systems and agents. These techniques, published on July 7, 2026, enable attackers to subvert AI models, such as Google Gemini and Anthropic Claude, by injecting hidden, fragmented, or context-altering instructions. The attacks range from &quot;sleeping&quot; instructions that activate conditionally (Trigger-Activated Rule Addition, PT0201) to methods for bypassing safety filters (Cognitive Token Suppression, PT0197) and executing arbitrary commands, including SQL injection (Special Token Injection, PT0198). A critical delivery mechanism identified is &quot;Unwitting User Delivery&quot; (IM0005), where users are socially engineered into submitting malicious prompts inadvertently, causing the AI agent to operate under the user's authenticated session and execute attacker-controlled directives. This evolution in prompt injection necessitates a significant shift in AI security defenses and threat modeling.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Attacker Crafts Malicious Prompt</strong>: Adversaries design sophisticated prompts embedding hidden instructions, fragmented payloads, or special tokens, using techniques like <code>Algorithmic Payload Decomposition</code> (PT0200) to evade detection.</li>
<li><strong>Delivery of Malicious Prompt</strong>: The crafted prompt is introduced into the AI system, potentially via <code>Unwitting User Delivery</code> (IM0005), where a legitimate user is socially engineered (e.g., through a TikTok post) to copy and paste the malicious input into an AI chat.</li>
<li><strong>AI System Processes Input</strong>: The target AI model or agent (e.g., Gemini, Claude) receives and parses the input, which now contains the embedded malicious instructions within a seemingly benign context.</li>
<li><strong>Internal Manipulation/Activation</strong>: The AI's internal mechanisms are subverted. This could involve <code>Special Token Injection</code> (PT0198) creating boundary confusion, or <code>Trigger-Activated Rule Addition</code> (PT0201) installing a &quot;sleeping&quot; instruction that activates under specific conditions.</li>
<li><strong>Bypass of Security Mechanisms</strong>: Techniques like <code>Cognitive Token Suppression</code> (PT0197) are employed to prevent the AI from generating standard safety disclaimers or refusal messages, leading it to produce riskier or less clear outputs.</li>
<li><strong>Execution of Unauthorized Commands</strong>: The manipulated AI agent, operating within its expanded capabilities (e.g., access to webpages, file stores, ability to write shell commands), executes the attacker's directives, such as performing SQL injection or system commands.</li>
<li><strong>Achieve Impactful Action</strong>: The attacker achieves their objective, which may include data exfiltration, unauthorized modification of systems, or further lateral movement, leveraging the compromised AI agent as an pivot point.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The observed impact of these prompt injection techniques includes the hijacking of AI agent capabilities, execution of arbitrary commands (such as SQL injection), and the bypassing of established security rules and policies. Attackers can steer AI agents into unsafe actions, leading to potential data exfiltration or system compromise by leveraging the AI's access permissions. The increase to over 200 distinct prompt injection techniques highlights a rapidly evolving threat landscape where AI systems, if not properly secured, can become vectors for significant organizational damage. Without robust defenses, organizations leveraging AI agents could face compliance issues, data breaches, and operational disruptions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Implement comprehensive AI threat modeling that explicitly accounts for all potential sources of model context, including prompts, RAG pipelines, agent memory, APIs, tool outputs, browser content, emails, and SaaS data, to detect and mitigate potential manipulation via <code>Trigger-Activated Rule Addition (PT0201)</code>, <code>Algorithmic Payload Decomposition (PT0200)</code>, and <code>Special Token Injection (PT0198)</code>.</li>
<li>Conduct rigorous AI red teaming exercises that move beyond basic &quot;ignore previous instructions&quot; and incorporate advanced techniques such as boundary mimicry, indirect injection, and delayed activation to proactively identify vulnerabilities related to techniques like <code>Cognitive Token Suppression (PT0197)</code>.</li>
<li>Educate users about the risks of <code>Unwitting User Delivery (IM0005)</code> by providing examples of how malicious prompts can be disguised in social engineering campaigns, emphasizing caution when copying and pasting information into AI systems.</li>
<li>Review and harden AI agent configurations, particularly those with access to sensitive resources or the ability to execute commands, to restrict their capabilities and ensure strict adherence to least privilege principles, mitigating the impact of successful prompt injections that lead to unauthorized command execution (as seen in the <code>Special Token Injection</code> example).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>prompt-injection</category><category>ai</category><category>llm</category><category>threat-intelligence</category><category>crowdstrike</category><category>artificial-intelligence</category></item></channel></rss>