Indirect Prompt Injection via SEO Poisoning Targeting OpenAI, Anthropic, and Google AI Agents
Attackers are leveraging Indirect Prompt Injection (IPI) to hijack AI agents from OpenAI, Anthropic, and Google by weaponizing the Retrieval-Augmented Generation (RAG) process. Through SEO poisoning, malicious sites are prioritized in agent grounding searches, delivering hidden payloads via CSS (display:none, opacity:0) and zero-width characters. These invisible instructions override system prompts to execute unauthorized tool-use functions, enabling cryptojacking via WebAssembly and the exfiltration of sensitive session data to attacker-controlled endpoints. This vulnerability shifts the primary attack vector from direct user input to external, untrusted data sources utilized for agentic autonomy.
Web Agent Retrieval Poisoning WARP Targeting OpenAI Deep Research and Google Gemini Deep Research
Web Agent Retrieval Poisoning (WARP) is a critical evolution in indirect prompt injection targeting agentic AI systems, including OpenAI Deep Research, Google Gemini Deep Research, and Claude Code. Attackers embed instructions within seemingly benign source material, such as public GitHub repositories, to exploit an AI agent's automated error-recovery instincts. By triggering specific logic, attackers force the agent to fetch second-stage payloads via non-file-based channels like DNS TXT records. This technique bypasses static analysis, secret scanners, and human code review, ultimately enabling Remote Code Execution (RCE) through reverse shells on developer workstations or within CI/CD pipelines.
OpenAI GPT-5.5-Cyber and the Daybreak Autonomous Defense Initiative
OpenAI has released GPT-5.5-Cyber as part of the Daybreak initiative, transitioning cybersecurity from human-led reactive posture to autonomous, machine-speed defense. The system integrates automated vulnerability detection with synthetic code generation to produce stable security patches, targeting a significant reduction in Mean Time to Remediate (MTTR) across CI/CD pipelines. By benchmarking against known CVEs and zero-day discovery protocols, GPT-5.5-Cyber aims to neutralize automated exploitation threats. Deployment is overseen by the UK AI Safety Institute (AISI) to ensure safety guardrails prevent the model's repurposing for offensive cyber operations or the generation of malicious payloads.
OpenAI GPT-5.5 Deployment and Anthropic Fable 5 Export Restrictions
OpenAI is transitioning to the GPT-5.5 Instant architecture and Dreaming V3 memory synthesis while deprecating legacy models like o3. Simultaneously, the U.S. government has mandated Anthropic to restrict foreign national access to Fable 5 and Mythos 5 models. This regulatory action follows evidence that Fable 5 can be jailbroken to generate functional stack exploit code, shifting the threat model of high-tier LLMs from general productivity assistants to offensive cyber-weaponry capable of automating exploit development.
ChatGPT: ChatGPhish Markdown Rendering Vulnerability
The "ChatGPhish" vulnerability is a high-severity indirect prompt injection flaw residing in the ChatGPT web interface's Markdown rendering engine. By leveraging the model's web-browsing and summarization capabilities, an attacker can host malicious Markdown/HTML payloads on an external webpage. When ChatGPT processes this URL, the renderer interprets the untrusted content as legitimate UI elements within the chatgpt.com domain. This facilitates "trust-transfer" attacks, allowing adversaries to inject spoofed security alerts, fraudulent hyperlinks, and phishing QR codes directly into the user's trusted session, aiming for credential theft and session hijacking via sophisticated social engineering.
ChatGPT Share Links Exploited to Bypass Security Filters and Deliver Infostealers
Threat actors are leveraging the ChatGPT "shared chat" feature to execute a sophisticated phishing campaign that bypasses corporate security infrastructure. By hosting fraudulent service outage notifications on the trusted chatgpt.com/share/ domain, attackers utilize domain reputation hijacking to circumvent Secure Web Gateways (SWG) and URL filters. The campaign redirects targets to download malicious, fake ChatGPT desktop applications for Windows (.exe) and macOS (.dmg/.pkg). These payloads deliver infostealer malware designed to exfiltrate browser cookies, session tokens, and sensitive system credentials, posing a critical risk of account takeover (ATO) and large-scale corporate data exfiltration.