Skip to main content
  1. Home
  2. Emerging Tech
  3. News

Researchers hid a prompt injection inside a PNG, and AI fell for it

Add as a preferred source on Google
Hacker
Hacker

AI coding assistants like Claude are becoming every developer’s favorite coworker. They can review code, explain confusing functions, and even write entire features with a single prompt. But new research suggests that this growing trust could also become their biggest weakness.

A team of security researchers (professor Sudipta Chattopadhyay and researcher Murali Ediga) has demonstrated an unusual attack that doesn’t target the AI model directly. Instead, it targets what the AI doesn’t pay enough attention to during code reviews. Rather than hiding malicious instructions in lines of code, the researchers tucked them inside an image file. Since many AI review tools treat images as decorative assets rather than as something worth inspecting, the pull request can appear perfectly harmless and sail through the review.

The most dangerous file might be the one you’d never open

Imagine receiving a document with a company logo in the corner. You’d probably glance at it and move on. Now imagine that logo secretly contained instructions telling your AI assistant to open your password vault the next time you used it. That’s essentially the idea behind this proof of concept. The trick doesn’t execute immediately after the code is merged, either. It waits until a developer later asks an AI coding assistant to perform a completely unrelated task, such as creating a helper function or adding a new module. By then, the AI has already absorbed the hidden instructions and can unknowingly access sensitive project files before slipping confidential information into the code it generates.

What’s especially worrying is that the stolen data isn’t dumped into the source code in an obvious way. Instead, it’s disguised as ordinary-looking values that blend in with legitimate code, making them far less likely to trigger existing security tools or catch a developer’s eye during a quick review.

It’s not just about which AI you use

The researchers also found that the outcome wasn’t determined by which large language model was being used. In many cases, the same AI model behaved very differently depending on the coding assistant wrapped around it. Some tools blindly followed the hidden instructions, while others recognized something suspicious and refused to continue. That’s an important distinction because it suggests the problem isn’t limited to a particular chatbot. The real challenge lies in how AI-powered coding platforms decide what information to trust and which project files they’re allowed to access.

The good news is that the researchers don’t believe this is an impossible problem to solve. They argue that AI review tools need to become “multimodal” in the truest sense — treating images, documentation, configuration files, and other non-code assets with the same level of scrutiny as source code. If an AI can read a picture, it also needs to understand that the picture could be trying to manipulate it. For developers, this is another reminder that AI coding tools still need supervision. They can dramatically speed up software development, but they also open entirely new attack surfaces that didn’t exist before. The next security risk might not be hidden in thousands of lines of code — it could be sitting inside an image that nobody thought was worth opening.

Shimul Sood
Shimul is a contributor at Digital Trends, with over five years of experience in the tech space.
AI has already fallen into the wrong hands and they’re using it to make bombs
Logo, Text

Artificial intelligence has quickly become the go-to tool for everything from writing emails and summarizing meetings to helping students study or developers debug code. But the same technology that saves people time can also be misused, and a new report suggests that terrorist organizations are finding ways to do exactly that.

According to a research paper shared with The New York Times ahead of its publication, researchers found evidence that members of Boko Haram have been using popular AI chatbots to support both day-to-day activities and combat-related tasks. Interviews with 27 former members conducted in Nigeria over the past two years suggest that tools such as ChatGPT, Gemini, Claude, Grok, Meta AI, and DeepSeek were used to gather technical information, troubleshoot weapons, and even assist with planning attacks.

Read more
Claude Code can now browse the web without opening Chrome
The desktop app now includes an in-app browser that can read websites, click links, and interact with web apps.
Claude Code Featured

Developers spend a surprising amount of time bouncing between their code editor, browser tabs, API documentation, GitHub issues, and design files. Anthropic thinks Claude Code should simply do all of that without constantly asking users to switch windows. The company has announced a new in-app browser for Claude Code on desktop, allowing its AI coding assistant to open websites, read documentation, inspect designs, and interact with web pages directly from within the application.

A browser built into Claude Code

Read more
Apple is suing OpenAI over theft of trade secrets in blockbuster lawsuit
The lawsuit claims OpenAI recruited Apple employees and obtained confidential information about unreleased products.
Apple store Apple Building Apple Logo

For the past two years, Apple and OpenAI have been presented as close AI partners. ChatGPT powers key Apple Intelligence features, Siri can hand complex queries over to OpenAI, and together the two companies helped bring generative AI to millions of Apple devices. Now, that partnership has taken a dramatic turn.

What is Apple accusing OpenAI of?

Read more