Artificial intelligence is spreading across everyday life at an unprecedented pace, with AI-powered chatbots and search tools now being used by millions of people who may not have extensive experience with software or security. Unfortunately, this widespread adoption has drawn the attention of hackers, who are probing for ways to manipulate AI systems to their advantage. A new report from security researchers at Trail of Bits has shed light on a novel attack method: hiding malicious prompt injections inside images, where the text remains invisible to human users but is revealed when processed by AI.
Prompt injection attacks involve sneaking instructions into content to alter how an AI behaves, often without the user realizing what is happening. In earlier demonstrations, researchers showed how hidden text could be embedded in emails using color tricks, effectively making the message unreadable to humans while still processed by AI summarization tools. Now, Trail of Bits has demonstrated that compression artifacts within images can achieve the same outcome. When a user uploads a compressed image to an AI service, the system may detect and interpret the hidden instructions, unknowingly executing commands embedded by the attacker.
One scenario outlined by the researchers involves a malicious actor sending a victim an image, which is then uploaded to Google’s Gemini or another AI-driven tool. During compression, the hidden text emerges, and the AI processes it as an instruction—for example, extracting and sending sensitive data like a user’s calendar information. Though this method requires significant effort to tailor both the image and the injection to a specific AI model, it highlights the ease with which benign-looking images could be turned into delivery systems for cyberattacks.
While Trail of Bits found no evidence that attackers are actively using this technique, the discovery raises alarms about future exploitation. The incident highlights how even the most ordinary interactions with AI—like asking for an explanation of a photo or screenshot—could expose users to hidden risks. With AI systems increasingly embedded in operating systems, search tools, and productivity apps, the challenge for developers will be creating safeguards that prevent hidden instructions from being executed while maintaining the seamless experience that has fueled AI’s rapid adoption.