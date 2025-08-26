Cybersecurity researchers have revealed a new type of attack that can trick AI systems into leaking user data. The AI attack hides secret instructions inside images that look normal to the human eye. When these images are processed by AI systems, the hidden commands are exposed and carried out without the user’s knowledge.

This attack was developed by Trail of Bits researchers Kikimora Morozova and Suha Sabi Hussain. It is based on an earlier theory from a 2020 USENIX paper by researchers at Germany’s TU Braunschweig. That paper first suggested the possibility of image-scaling attacks in machine learning.

Stay Alert: New AI Attack Uses Invisible Prompts in Images to Steal Sensitive Data

How it Works

When users upload images to AI systems, the pictures are usually compressed or downscaled. This is done to save cost and improve performance. During this process, resampling algorithms such as nearest neighbour, bilinear, or bicubic interpolation change the image quality.

These changes can create patterns known as aliasing artefacts. If an attacker carefully designs an image, these patterns can be used to reveal hidden instructions after downscaling.

For example, in a test by Trail of Bits, dark parts of an image turned red after bicubic downscaling. This revealed hidden black text, which the AI system then read as instructions. From the user’s point of view, everything looked fine, but the AI silently followed the hidden commands.

In one case, the researchers were able to trick Google Gemini CLI into sending Google Calendar data to an outside email address. This was possible because the system trusted hidden instructions without asking the user for confirmation.

Affected Systems

The attack has been shown to work on several popular AI systems, including:

Google Gemini CLI

Vertex AI Studio (Gemini backend)

Gemini’s web interface

Gemini’s API via the llm CLI

Google Assistant on Android

Genspark

Experts warn that the risk is not limited to these platforms. The technique could be adapted for other AI tools as well.

To demonstrate, the researchers built Anamorpher, an open-source tool (in beta) that can generate images designed to exploit different downscaling methods.

Possible Defenses

The researchers suggest several ways to reduce the risk:

Limit the size and dimensions of uploaded images.

Provide users with a preview of how their images look after downscaling.

Ask for user confirmation when sensitive tool calls are detected in image text.

They also recommend stronger, long-term defences. AI systems, they argue, should be designed with secure patterns that can resist all types of prompt injection attacks, not just image-based ones.

Why It Matters

This discovery highlights how creative cyberattacks are becoming. AI systems are increasingly connected to sensitive tools, personal data, and even financial platforms. A hidden message in a picture could lead to serious data leaks if proper safeguards are not in place.

As AI adoption grows worldwide, researchers stress the need for stronger, security-first designs to protect users from invisible threats.

See Also: Cybercriminals Use SVG Images in Fake Facebook Posts to Spread Malware