
Two Weeks in July That Proved Prompt Injection Cuts Both Security Ways
Between late June and early July 2026, two unrelated disclosures landed within days of each other and, taken together, drew a clean line through the security assumptions most organizations are still making about AI tooling. In one, researchers demonstrated that six major AI-powered browsers could be manipulated into exfiltrating user credentials. In the other, a North Korea-linked malware sample embedded 38 fabricated system messages designed to talk defenders' own AI analysis tools out of flagging it. Same underlying mechanism. Opposite directions. Both worked by exploiting the fact that large language models cannot reliably distinguish instructions from data.
Key Takeaways
- The BioShocking attack tricked AI browsers from six vendors into copying and exfiltrating user credentials from visited pages, using a prompt injection technique that first broke the agent's trust in its own rules.
- macOS.Gaslight, a Rust-based backdoor attributed to North Korean actors, embedded 38 fake system messages to derail AI-assisted malware triage, representing a significant escalation from earlier single-block injection attempts.
- Both incidents exploit the same structural weakness: prompt injection is not a bug with a patch, but a property of how current language models process mixed-trust input in a shared context window.
- Vendor response to BioShocking was uneven at best: one vendor fixed it, one closed the report without acting, three never responded, and one attempted a patch that did not hold.
- The Gaslight technique has not yet succeeded against production AI analysis platforms, but the iterative refinement from one injected block to 38 messages signals a maturing attacker capability, not a research curiosity.
What happened with BioShocking?
Security firm LayerX demonstrated a technique they called "BioShocking" that tricked six AI browsers and assistants into copying user credentials and sending them to an attacker-controlled endpoint. The targets included browser extensions and agentic browsing products from multiple major vendors. The attack surface was not a code vulnerability in the traditional sense. It was the model's willingness to follow instructions embedded in the content it was reading.
The mechanism was clever in a way that should make you uncomfortable. The researchers had the AI agent solve a rigged puzzle that rewarded wrong answers (insisting, for instance, that two plus two equals five). Once the agent accepted that the rules it was following could be wrong, it stopped treating its own safety instructions as authoritative and could be redirected to copy credentials from a page and exfiltrate them. The name is a nod to BioShock's "would you kindly" plot device, and the analogy is uncomfortably apt: the agent followed instructions because it had been conditioned to comply, not because it understood the consequences.
LayerX had notified the affected vendors between October 2025 and January 2026. Public disclosure came months later. The gap matters.
How did vendors respond to the BioShocking disclosure?
Unevenly, to put it mildly. One vendor patched the issue in its product. Perplexity closed the report without acting on it. Three vendors (Fellou, Genspark, Sigma) did not respond at all. Anthropic attempted a fix for its Claude browser extension, but the patch reportedly did not hold. That distribution of responses is itself a data point. It tells you something about how the industry currently thinks about prompt injection: as an annoyance to be managed, not an architectural risk to be designed against.
Independent enterprise testing during the same period found that leading AI browsers blocked only a small share of malicious test pages, suggesting BioShocking is not an outlier but one data point in a broader pattern of weak real-world defenses.
What is macOS.Gaslight and why does it matter more than BioShocking?
This is the one that should keep you up later. On June 23, 2026, SentinelLabs disclosed a Rust-based macOS backdoor and infostealer they named macOS.Gaslight, attributed with high confidence to North Korea-aligned actors. It is a competent piece of malware on its own merits: a backdoor with infostealing capability, written in Rust, targeting macOS. What made it notable was a secondary feature. The binary contained 38 fabricated system messages designed to interfere with AI-assisted malware triage.
The fake messages warned of token expiry, disk and memory errors, repeated analysis failures, and bogus injection flaws. The intent was to push an AI agent performing triage into aborting its analysis or refusing to continue. The malware was, in a very literal sense, trying to gaslight the analyst's tools.
SentinelLabs was clear about what has and has not been demonstrated: the prompt injection technique did not bypass any production AI malware analysis platform in current testing. The technique failed. But the fact that it was attempted, and attempted at this level of sophistication, is the story.
Why is the Gaslight escalation trendline significant?
Because Gaslight is not the first attempt; it is the latest in a series that shows iterative refinement. Earlier North Korean macOS samples used a single injected message block for the same purpose. Similar prompt-injection-in-malware techniques were documented by Check Point in 2025 against Windows targets, and supply-chain payloads like Hades and Shai-Hulud used simpler single-block injections.
One block became 38 messages. That is not a research curiosity. That is an engineering team iterating on a technique, presumably testing it against real tools between releases and adjusting. The progression from a single injected block to a carefully structured cascade of 38 fabricated system messages suggests the operators are running their own evaluations. They are, in effect, red-teaming the red-team tools.
The fact that traditional detection still caught it (Apple updated XProtect with a targeting rule in early June, and by June 30, twenty-nine vendors were flagging the file on VirusTotal) does not diminish the concern. Signature-based detection caught this sample. It will not necessarily catch the next iteration, especially if the operators learn to decouple the prompt injection payload from the detectable malware signatures.
What makes prompt injection different from a normal vulnerability?
There is no CVE to file and no patch to ship. Prompt injection is not a flaw in a specific line of code. It is a property of how current language models work. They process instructions and data in the same context window, and they cannot reliably distinguish between the two. Every mitigation proposed so far (system prompts, instruction hierarchies, input sanitization, output filtering) reduces the attack surface without eliminating it.
The UK's National Cyber Security Centre has warned that prompt injection may never be totally mitigated. OWASP classified it as the number-one risk in LLM application security (LLM01 in its 2025 ranking), and its 2026 State of Agentic AI Security report concluded the vulnerability may be structural rather than patchable.
If you are building on top of language models, or deploying tools that use them, this is the operating assumption you need to internalize: the model will, under adversarial conditions, sometimes follow attacker instructions. The question is what damage that can cause given your architecture.
Why is this really an architecture problem, not a model problem?
Most commentary about both incidents focuses on model-level guardrails failing. That framing is not wrong, but it is incomplete, and it leads to the wrong set of responses. The deeper issue is architectural.
In BioShocking, the AI browser agent had access to the user's credentials in the same session context where it was processing untrusted web content. The model did not need to "hack" anything. It just needed to be convinced to copy data from one part of its context to an outbound channel. The credentials and the attacker's instructions coexisted in the same context window. That is an architecture choice, not a model failure.
In Gaslight, the malware binary contained instructions that would be processed by an AI tool analyzing it. The analysis tool was treating the artifact under examination as context, which means attacker-controlled data was being fed into the same processing pipeline that made trust decisions. Again: architecture.
The fix that actually works is not "make the model smarter about distinguishing instructions from data" (though that helps at the margin). The fix is: never let untrusted content and privileged operations share a context window. Isolate credentials at the network or proxy layer so the model literally cannot see the secret it is using. Treat every artifact under analysis as hostile input, not context. These are infrastructure decisions, not prompt engineering decisions.
The Anthropic patch that reportedly did not hold is instructive here. Model-level mitigations are, by their nature, probabilistic. An attacker who can iterate (and the Gaslight progression shows they can) will eventually find a formulation that slips through. Architectural isolation is deterministic. The model cannot exfiltrate a credential it never had access to.
Why is the defender-side attack the more urgent story?
Nearly all the coverage in June and July led with BioShocking. The consumer-facing, credential-stealing attack is easier to explain and easier to scare people with. But if you run a security team, or build security tooling, Gaslight should concern you more.
BioShocking targets the AI tools your employees use. Gaslight targets the AI tools your defenders use. The distinction matters because security teams are increasingly relying on AI-assisted triage to handle alert volume. If an attacker can cause those tools to dismiss or abort analysis of a specific sample, the malware gets a free pass through exactly the layer that was supposed to catch it. You have built a trust chain that includes an AI component, and the attacker is injecting instructions into the input of that component.
The SentinelLabs researchers made this point explicitly. AI-assisted SOC and triage tools need the same adversarial assumptions that we apply to production LLM applications. Every artifact under analysis should be treated as potentially containing hostile instructions. This has not been operationalized industry-wide. Most AI-assisted analysis tools still process binary content, strings, and metadata in a way that could allow embedded instructions to influence the model's behavior.
The fact that Gaslight failed against current production tools is reassuring only if you believe the attackers will stop iterating. The progression from one block to 38 messages suggests otherwise.
What does this mean for how you should evaluate AI-integrated products?
Three questions worth asking about any AI-integrated product you use or build:
- Does the model ever see credentials, secrets, or privileged tokens in its context window? If yes, prompt injection can potentially exfiltrate them. The BioShocking attack is the proof of concept. Credential isolation at the infrastructure layer is the only mitigation that holds under adversarial pressure.
- Does the product process untrusted input in the same context as its operating instructions? If yes, those instructions can be overridden. This is true for browser agents reading web pages, email assistants processing messages, and analysis tools examining malware samples. The content being processed should never be able to modify the tool's behavior.
- What happens when the model-level guardrails fail? Because they will, eventually, under sufficient adversarial pressure. The question is whether the architecture limits the blast radius. Can the model authorize a payment, exfiltrate data, or suppress an alert on its own, or does a deterministic system gate those actions?
How does this shape what we build at Selina?
We think about this constantly because we operate an AI assistant that handles personal and sensitive data. Our architecture is built around a few assumptions that these two weeks validated.
First: memory is encrypted at rest, but memory is NOT end-to-end encrypted. A slice of each request reaches a frontier provider at inference. We state this plainly because it defines the threat model. Files and transfers via SelinaSEND are zero-knowledge encrypted end-to-end, meaning we cannot read them. Memory is a different category with different properties, and pretending otherwise would be dishonest.
Second: we use a stack of frontier models, routed per task. We do not name them. But the relevant point here is that we assume any model in the stack can, under adversarial conditions, be manipulated. Our defenses are architectural, not just prompt-level. Privileged operations are bounded automatically. The model does not have access to credentials or secrets in its context window during content processing. Non-content operational metadata is kept for a short retention window, not indefinitely.
Third: we do not claim these defenses are perfect. Prompt injection is, as the evidence now clearly shows, a structural property of current language models. We cannot guarantee a model will never follow a malicious instruction. What we can control is what a compromised model is able to do given our architecture. The blast radius is bounded by design, not by hope.
Delete means gone. Actually gone. But we are not going to tell you that the model processing your request is incorruptible, because the evidence says otherwise. What we will tell you is that we built the system assuming it is not.
Where does this go from here?
Two predictions, stated flatly because hedging them would be dishonest about what the evidence supports:
Prompt injection in malware will become standard practice. The Gaslight progression (one block to 38 messages, single-target to multi-message cascades) is a capability maturation curve. Within twelve months, expect to see prompt injection payloads tailored to specific analysis tools, not just generic "please ignore this file" messages. The attackers are iterating faster than most defenders are adapting.
AI browser and agent credential theft will produce a real-world breach with material impact. BioShocking was a research demonstration. The vendors' uneven response (one patch, one closed report, three non-responses, one failed fix) means the attack surface is largely still open. Someone will exploit it outside a research context. The only question is whether it will be attributed quickly enough to drive architectural changes or quietly exploited for months before discovery.
The two weeks in late June and early July did not reveal a new class of attack. They demonstrated, concretely and publicly, that a known class of attack has matured to the point where it works in both directions: against the AI tools your people use, and against the AI tools your defenders use. The mechanism is the same. The mitigations that actually work are architectural, not model-level. And the attackers are iterating.
If you want to see how we handle this in practice, start a free 7-day trial, no card required.
Frequently Asked Questions
What was the BioShocking attack and how did it work?
BioShocking was a technique demonstrated by security firm LayerX that tricked six AI browsers into copying user credentials from visited pages and sending them to an attacker-controlled endpoint. It worked by first getting the agent to accept a rigged puzzle with a wrong answer, undermining its trust in its own rules, after which it could be redirected to exfiltrate data.
How did vendors respond to the BioShocking disclosure?
The response was uneven: one vendor patched the issue, Perplexity closed the report without acting, three vendors (Fellou, Genspark, Sigma) never responded, and Anthropic's attempted patch for its Claude browser extension reportedly did not hold.
What is macOS.Gaslight and what did it try to do?
macOS.Gaslight is a Rust-based backdoor and infostealer attributed to North Korea-aligned actors, disclosed by SentinelLabs in June 2026. It embedded 38 fabricated system messages meant to trick AI-assisted malware triage tools into aborting or refusing analysis, though it did not succeed against any production AI analysis platform in testing.
Why is the jump from one injected message to 38 significant?
Earlier North Korean malware samples and similar techniques used just a single injected message block, so the escalation to a structured cascade of 38 fabricated messages suggests attackers are iteratively refining and testing the technique against real tools, not just experimenting once.
Why can't prompt injection simply be patched like a normal vulnerability?
Prompt injection isn't a flaw in specific code but a structural property of how language models process instructions and data together in the same context window, making them unable to reliably tell the two apart. Mitigations like instruction hierarchies or input filtering reduce but don't eliminate the risk, which is why groups like the UK's NCSC and OWASP consider it potentially unpatchable.
Sources & References
- New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials
- Researchers Trick AI Browsers Into Leaking Credentials - Infosecurity Magazine
- “BioShocking” tricks AI browsers into leaking your passwords
- Agentic Browser Security: Stop Prompt-Injection Exfil
- Prompt Injection Now Cuts Both Ways: Two Weeks That Turned the AI You Deployed Into an Attack Surface | Innovaiden
- New BioShocking Attack Tricks AI Browsers
- Security researchers trick AI browsers into revealing passwords using BioShock-inspired prompt injection
- AI browsers face new credential leak warning — Arabian Post
- Are AI Browsers Safe? The Prompt Injection Risk (2026)
- New BioShocking attack manipulates AI browser into data theft
- North Korea macOS Malware Targets AI Analyst Tools: Gaslight Embeds 38 Fake Error Messages
- Gaslight macOS Malware Is a Warning Shot at the AI Security Stack
- macOS Backdoor Uses Prompt Injection to Evade AI Triage - Infosecurity Magazine
- Gaslight macOS Malware Uses Prompt Injection to Evade AI Security Analysis - Security Boulevard
- Gaslight macOS Malware Uses Prompt Injection to Evade AI Security Analysis
- macOS.Gaslight: North Korea-Linked Malware That Tries to Gaslight the Analyst - Security Affairs
- North Korea-Linked macOS Malware Uses Prompt Injection to Evade AI Analysis
- New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis
- Gaslight macOS Malware Targets AI Analysis with Prompt Injection
