AI-LENOVO-LENA-XSS-2025

In early May 2026 an attacker drained roughly $150,000 from an AI-powered crypto trading agent on X (Twitter) through prompt injection, an exploit of Grok and the linked Bankrbot agent documented by AI-security researchers including Giskard and NeuralTrust. The attacker posted a Morse-code-encoded message on X and asked Grok to translate it; Grok decoded the obfuscated payload, which contained hidden financial instructions, and the encoding let the untrusted post slip past content filters. Grok processed this user-supplied X content as a trusted directive with no separation between conversation input and authorized commands, then relayed the decoded instruction to the linked Bankrbot agent, which executed it as a legitimate order. Combined with a previously transferred Bankr Club Membership NFT that granted elevated 'Executive' wallet permissions, Bankrbot sent about 3 billion DRB tokens (roughly $150,000) on the Base network to the attacker's wallet, with no human-in-the-loop or circuit breaker on the high-value transfer. About 80% of the funds were later returned after the community identified the attacker.

Disclosed on September 25, 2025 by Noma Security, ForcedLeak is a CVSS 9.4 indirect prompt-injection chain in Salesforce Agentforce affecting organizations with Web-to-Lead enabled. An attacker submits a public Web-to-Lead form and plants hidden instructions in the Description field, chosen because its roughly 42,000-character limit allows complex multi-step directives. When an employee later asks the Agentforce AI agent to process or summarize that lead, the agent ingests the attacker-controlled text as part of its context and executes the embedded commands, querying and reading internal CRM data such as lead email addresses and other contact and sales-pipeline information. The agent then exfiltrates the harvested data by embedding it in an image or link request to an expired Salesforce-related domain that remained on the Content Security Policy allow-list and was re-registered by researchers for about $5, bypassing egress controls. Salesforce remediated it on September 8, 2025 by re-securing the expired domain and enforcing Trusted URLs for Agentforce and Einstein AI; no CVE was assigned because the issue did not stem from a software version flaw.

Presented at Black Hat USA 2025 and DEF CON 33 and published August 6, 2025 by SafeBreach researchers Ben Nassi, Stav Cohen and Or Yair, this indirect prompt injection (dubbed 'promptware') hijacks Google Gemini through poisoned Google Calendar invites, emails and shared documents. An attacker sends the victim a calendar invite whose title contains hidden instructions; the malicious text sits unnoticed because long event lists hide entries behind a 'Show more' control yet still enter Gemini's context. When the victim later asks Gemini a routine request such as summarizing their schedule, the agent ingests the attacker's calendar data as trusted context and executes the embedded directives, abusing Gemini's connected agents and tool permissions. Demonstrated real-world effects included controlling Google Home smart devices to open windows, turn off lights and activate a boiler, plus geolocating the victim, starting a Zoom video stream, deleting calendar events and exfiltrating email content. The researchers privately disclosed to Google in February 2025, and Google deployed layered mitigations including user confirmations, URL sanitization and prompt-injection detection before publication.

Coding agents that autonomously read project and external content are vulnerable to indirect prompt injection, where hidden instructions placed in untrusted material the agent ingests hijack its behavior. The injection surface is broad: a poisoned README, source-code comment, GitHub issue or PR comment, a dependency's files, a fetched web page, or an MCP tool description, with instructions often concealed using invisible Unicode characters so a human reviewer never sees them, as Pillar Security demonstrated with the 'Rules File Backdoor' technique. Because the agent cannot distinguish trusted developer instructions from attacker text in the data it processes, the injected commands can direct it to insert a backdoor, weaken security controls, exfiltrate secrets, or run shell/MCP commands. Johann Rehberger (Embrace The Red) proved the data-exfiltration variant in Cursor with CVE-2025-54132 (disclosed June 30, 2025, fixed in v1.3): a comment-embedded payload made Cursor render a Mermaid diagram containing an attacker image URL, auto-firing an outbound request that leaked API keys and agent memory without confirmation. When the developer merges or runs the agent's resulting output unmonitored, the attacker-controlled changes land directly in the codebase or on the developer's machine.

MCP tool poisoning is a supply-chain prompt-injection class in which a malicious Model Context Protocol server embeds hidden directives inside a tool's description metadata. Because MCP clients feed the full tool description into the model's context but typically render only a simplified tool name to the user, the model reads attacker instructions (often wrapped in tags like IMPORTANT) that the human never sees. Invariant Labs disclosed this on April 1, 2025, demonstrating that merely connecting a server lets a benign-looking add() tool silently instruct the agent to read files such as ~/.cursor/mcp.json and ~/.ssh/id_rsa and exfiltrate them through innocuous-seeming parameters; this also enables 'line jumping' (Trail of Bits), where the description influences the model before any tool is invoked, and 'rug pull' variants that mutate a tool's description after the user has already approved it. The class maps to OWASP LLM01:2025 Prompt Injection and the LLM03 supply-chain risk.

Agent memory poisoning is a persistent prompt-injection class where attacker instructions delivered through untrusted content are written into an assistant's long-term memory, so the directive survives across future independent sessions. The low-level mechanism abuses the model's memory tool: indirect injection (for example a malicious web page or document the model summarizes) causes the agent to invoke its memory function and store an attacker-controlled instruction, which is then re-loaded into every subsequent conversation's context. Johann Rehberger demonstrated this as 'SpAIware' on September 20, 2024 against the ChatGPT macOS app, chaining memory injection with an image-rendering exfiltration channel that bypassed the url_safe mitigation to continuously leak conversations to an attacker server; he showed the same delayed-tool-invocation memory poisoning against Google Gemini in February 2025. The class maps to OWASP LLM01:2025 Prompt Injection and improper output/memory handling.