Artificial intelligence tools have quickly become mainstream, embraced not just by tech-savvy users but also by those with little background in conventional software or security practices. However, this rapid adoption has created fertile ground for malicious actors looking to exploit the technology in new and creative ways. Recent research from security firm Trail of Bits has revealed a concerning method in which hackers can conceal prompt injection attacks within images, making them invisible to the human eye but detectable by AI systems.
Prompt injection is a technique in which hidden instructions are embedded in content to manipulate the behavior of large language models or other AI systems. Traditionally, this has been demonstrated by embedding text in emails using font colors that blend into the background, leaving humans unable to see the malicious instructions while the AI processes them. The innovation reported by Trail of Bits lies in using image compression artifacts as the hiding spot. When an image is compressed during upload, the invisible embedded instructions can be revealed and transcribed by AI tools, effectively smuggling hidden commands past human review.
An example presented in collaboration with BleepingComputer shows how this method could be weaponized. A user might be sent an image and then upload it to an AI service such as Google’s Gemini or even trigger a search via Android’s circle-to-search feature. During compression, the hidden text becomes exposed to the AI system, which then interprets and executes the malicious instruction—such as emailing personal calendar data to an attacker. While this requires carefully crafted instructions and targeting of a specific AI system, the potential risk is evident.
Currently, there is no indication that this image-based attack has been deployed in the wild. Nevertheless, it underscores how even routine actions, such as uploading a picture to get an AI-powered description, could open the door to new vulnerabilities. As AI becomes more integrated into daily life, researchers warn that users and developers alike must remain vigilant about seemingly harmless interactions that could be turned into powerful attack vectors.
