Johann Rehberger
@wuzzi23.bsky.social
Ahoy! 🏴☠️
Claude got network access.
When enabled, it can also communicate with Anthropic APIs!
Twist: Attacker sets their own API key in prompt injection payload to upload user's data to their account 🔥
embracethered.com/blog/posts/2...
Claude got network access.
When enabled, it can also communicate with Anthropic APIs!
Twist: Attacker sets their own API key in prompt injection payload to upload user's data to their account 🔥
embracethered.com/blog/posts/2...
Claude Pirate: Abusing Anthropic's File API For Data Exfiltration · Embrace The Red
Claude's Code Interpreter recently got network access, and the default allow-list enables an interesting novel exploit chain that allows an adversary to exfiltrate large amounts of data by uploading f...
embracethered.com
October 30, 2025 at 11:04 PM
Ahoy! 🏴☠️
Claude got network access.
When enabled, it can also communicate with Anthropic APIs!
Twist: Attacker sets their own API key in prompt injection payload to upload user's data to their account 🔥
embracethered.com/blog/posts/2...
Claude got network access.
When enabled, it can also communicate with Anthropic APIs!
Twist: Attacker sets their own API key in prompt injection payload to upload user's data to their account 🔥
embracethered.com/blog/posts/2...
Reposted by Johann Rehberger
Great series, kudos.
To rephrase the old joke: the S in VIBE coding stands for Security.
To rephrase the old joke: the S in VIBE coding stands for Security.
September 3, 2025 at 7:27 AM
Great series, kudos.
To rephrase the old joke: the S in VIBE coding stands for Security.
To rephrase the old joke: the S in VIBE coding stands for Security.
AgentHopper: An AI Virus · Embrace The Red
AgentHopper: A proof-of-concept AI Virus
embracethered.com
September 1, 2025 at 5:16 AM
Episode 26: AWS Kiro
Arbitrary Code Execution via Indirect Prompt Injection
embracethered.com/blog/posts/2...
Arbitrary Code Execution via Indirect Prompt Injection
embracethered.com/blog/posts/2...
AWS Kiro: Arbitrary Code Execution via Indirect Prompt Injection · Embrace The Red
Agents That Can Overwrite Their Own Configuration and Security Settings
embracethered.com
August 28, 2025 at 2:19 AM
Episode 26: AWS Kiro
Arbitrary Code Execution via Indirect Prompt Injection
embracethered.com/blog/posts/2...
Arbitrary Code Execution via Indirect Prompt Injection
embracethered.com/blog/posts/2...
Episode 25: Manus
How Prompt Injection Exposes Manus' VS Code Server to the Internet
embracethered.com/blog/posts/2...
How Prompt Injection Exposes Manus' VS Code Server to the Internet
embracethered.com/blog/posts/2...
How Prompt Injection Exposes Manus' VS Code Server to the Internet · Embrace The Red
This post shows how an indirect prompt injection can trick Manus to expose the VS code server and at the same time leak its connection password, allowing an adversary to connect over the internet and ...
embracethered.com
August 28, 2025 at 2:18 AM
Episode 25: Manus
How Prompt Injection Exposes Manus' VS Code Server to the Internet
embracethered.com/blog/posts/2...
How Prompt Injection Exposes Manus' VS Code Server to the Internet
embracethered.com/blog/posts/2...
Episode 23: Windsurf
Sneaking Invisible Instructions by Developers in Windsurf
embracethered.com/blog/posts/2...
Sneaking Invisible Instructions by Developers in Windsurf
embracethered.com/blog/posts/2...
Sneaking Invisible Instructions by Developers in Windsurf · Embrace The Red
A vulnerability in Windsurf Cascade allows malicious instructions to be hidden from developers but followed by the AI, leading to potential data exfiltration. Learn how this 'invisible' attack works.
embracethered.com
August 28, 2025 at 2:16 AM
Episode 23: Windsurf
Sneaking Invisible Instructions by Developers in Windsurf
embracethered.com/blog/posts/2...
Sneaking Invisible Instructions by Developers in Windsurf
embracethered.com/blog/posts/2...
Episode 22: Windsurf
Windsurf: Memory-Persistent Data Exfiltration (SpAIware Exploit)
embracethered.com/blog/posts/2...
Windsurf: Memory-Persistent Data Exfiltration (SpAIware Exploit)
embracethered.com/blog/posts/2...
Windsurf: Memory-Persistent Data Exfiltration (SpAIware Exploit) · Embrace The Red
Windsurf is vulnerable to Prompt Injection and also long-term memory persistence, which allows an adversary to persist malicious instructions for a long period of time, aka. SpAIware attack
embracethered.com
August 28, 2025 at 2:16 AM
Episode 22: Windsurf
Windsurf: Memory-Persistent Data Exfiltration (SpAIware Exploit)
embracethered.com/blog/posts/2...
Windsurf: Memory-Persistent Data Exfiltration (SpAIware Exploit)
embracethered.com/blog/posts/2...
Episode 21: Hijacking Windsurf
How Prompt Injection Leaks Developer Secrets
embracethered.com/blog/posts/2...
How Prompt Injection Leaks Developer Secrets
embracethered.com/blog/posts/2...
Hijacking Windsurf: How Prompt Injection Leaks Developer Secrets · Embrace The Red
Windsurf is vulnerable to indirect prompt injection and can be exploited to leak sensitive source code, environment variables and other information on the host
embracethered.com
August 28, 2025 at 2:15 AM
Episode 21: Hijacking Windsurf
How Prompt Injection Leaks Developer Secrets
embracethered.com/blog/posts/2...
How Prompt Injection Leaks Developer Secrets
embracethered.com/blog/posts/2...
Episode 19: Amazon Q Developer
Remote Code Execution with Prompt Injection
embracethered.com/blog/posts/2...
Remote Code Execution with Prompt Injection
embracethered.com/blog/posts/2...
Amazon Q Developer: Remote Code Execution with Prompt Injection · Embrace The Red
Amazon Q Developer Compromising Developer Machines
embracethered.com
August 28, 2025 at 2:14 AM
Episode 19: Amazon Q Developer
Remote Code Execution with Prompt Injection
embracethered.com/blog/posts/2...
Remote Code Execution with Prompt Injection
embracethered.com/blog/posts/2...
Episode 18: Amazon Q Developer
Amazon Q Developer: Secrets Leaked via DNS and Prompt Injection
embracethered.com/blog/posts/2...
Amazon Q Developer: Secrets Leaked via DNS and Prompt Injection
embracethered.com/blog/posts/2...
Amazon Q Developer: Secrets Leaked via DNS and Prompt Injection · Embrace The Red
Amazon Q Developer Leaking Sensitive Data To External Systems Via DNS Requests (no human in the loop)
embracethered.com
August 28, 2025 at 2:13 AM
Episode 18: Amazon Q Developer
Amazon Q Developer: Secrets Leaked via DNS and Prompt Injection
embracethered.com/blog/posts/2...
Amazon Q Developer: Secrets Leaked via DNS and Prompt Injection
embracethered.com/blog/posts/2...
Episode 17: Amp
Data Exfiltration via Image Rendering Fixed in Amp Code
embracethered.com/blog/posts/2...
Data Exfiltration via Image Rendering Fixed in Amp Code
embracethered.com/blog/posts/2...
Data Exfiltration via Image Rendering Fixed in Amp Code · Embrace The Red
AmpCode is vulnerable to Prompt Injection and it was possible to leak sensitive source code, environment variables and other information on the host
embracethered.com
August 28, 2025 at 2:12 AM
Episode 17: Amp
Data Exfiltration via Image Rendering Fixed in Amp Code
embracethered.com/blog/posts/2...
Data Exfiltration via Image Rendering Fixed in Amp Code
embracethered.com/blog/posts/2...
Episode 16: Amp code
Invisible Prompt Injection Fixed by Sourcegraph
embracethered.com/blog/posts/2...
Invisible Prompt Injection Fixed by Sourcegraph
embracethered.com/blog/posts/2...
Amp Code: Invisible Prompt Injection Fixed by Sourcegraph · Embrace The Red
Sourcegraph recently fixed a vulnerability that allowed invisible instructions to perform prompt injection and hijack the agent.
embracethered.com
August 28, 2025 at 2:11 AM
Episode 16: Amp code
Invisible Prompt Injection Fixed by Sourcegraph
embracethered.com/blog/posts/2...
Invisible Prompt Injection Fixed by Sourcegraph
embracethered.com/blog/posts/2...
👉 Episode 15: Google Jules
Google Jules is Vulnerable To Invisible Prompt Injection
embracethered.com/blog/posts/2...
Google Jules is Vulnerable To Invisible Prompt Injection
embracethered.com/blog/posts/2...
Google Jules is Vulnerable To Invisible Prompt Injection · Embrace The Red
Jules is vulnerable to Prompt Injection from invisible instructions in untrusted data, which can end up running arbitrary operating system commands via the run_in_bash_session tool
embracethered.com
August 28, 2025 at 2:10 AM
👉 Episode 15: Google Jules
Google Jules is Vulnerable To Invisible Prompt Injection
embracethered.com/blog/posts/2...
Google Jules is Vulnerable To Invisible Prompt Injection
embracethered.com/blog/posts/2...
👉 Episode 14: Google Jules
Jules Zombie Agent: From Prompt Injection to Remote Control
embracethered.com/blog/posts/2...
Jules Zombie Agent: From Prompt Injection to Remote Control
embracethered.com/blog/posts/2...
Jules Zombie Agent: From Prompt Injection to Remote Control · Embrace The Red
Jules is vulnerable to Prompt Injection and can be exploited to leak sensitive source code, environment variables and achieve remote command & control by joining a botnet.
embracethered.com
August 28, 2025 at 2:09 AM
👉 Episode 14: Google Jules
Jules Zombie Agent: From Prompt Injection to Remote Control
embracethered.com/blog/posts/2...
Jules Zombie Agent: From Prompt Injection to Remote Control
embracethered.com/blog/posts/2...
👉 Episode 13: Google Jules
Vulnerable to Multiple Data Exfiltration Issues with prompt injection
embracethered.com/blog/posts/2...
Vulnerable to Multiple Data Exfiltration Issues with prompt injection
embracethered.com/blog/posts/2...
Google Jules: Vulnerable to Multiple Data Exfiltration Issues · Embrace The Red
Jules is vulnerable to Prompt Injection and can be exploited to leak sensitive source code, environment variables and other information on the host
embracethered.com
August 28, 2025 at 2:08 AM
👉 Episode 13: Google Jules
Vulnerable to Multiple Data Exfiltration Issues with prompt injection
embracethered.com/blog/posts/2...
Vulnerable to Multiple Data Exfiltration Issues with prompt injection
embracethered.com/blog/posts/2...
Reposted by Johann Rehberger
Great summary by @simonwillison.net of @wuzzi23.bsky.social ‘s findings on AI tools vulnerabilities.
In short, all AI tools are vulnerable if one attaches external files and links to their prompts, leading to secrets leaks and remote code execution.
Johann publishes daily until the end of the month.
In short, all AI tools are vulnerable if one attaches external files and links to their prompts, leading to secrets leaks and remote code execution.
Johann publishes daily until the end of the month.
The Summer of Johann: prompt injections as far as the eye can see
Independent AI researcher Johann Rehberger (previously) has had an absurdly busy August. Under the heading The Month of AI Bugs he has been publishing one report per day across an …
simonwillison.net
August 17, 2025 at 5:02 AM
Great summary by @simonwillison.net of @wuzzi23.bsky.social ‘s findings on AI tools vulnerabilities.
In short, all AI tools are vulnerable if one attaches external files and links to their prompts, leading to secrets leaks and remote code execution.
Johann publishes daily until the end of the month.
In short, all AI tools are vulnerable if one attaches external files and links to their prompts, leading to secrets leaks and remote code execution.
Johann publishes daily until the end of the month.
💥 Remote Code Execution in GitHub Copilot (CVE-2025-53773)
👉 Prompt injection exploit writes to Copilot config file & puts it into YOLO mode, and we get immediate RCE
🔥 Bypasses all user approvals
🛡️ Patch is out today. Update before someone else does it for you
embracethered.com/blog/posts/2...
👉 Prompt injection exploit writes to Copilot config file & puts it into YOLO mode, and we get immediate RCE
🔥 Bypasses all user approvals
🛡️ Patch is out today. Update before someone else does it for you
embracethered.com/blog/posts/2...
GitHub Copilot: Remote Code Execution via Prompt Injection (CVE-2025-53773) · Embrace The Red
An attacker can put GitHub Copilot into YOLO mode by modifying the project's settings.json file on the fly, and then executing commands, all without user approval
embracethered.com
August 13, 2025 at 2:56 AM
💥 Remote Code Execution in GitHub Copilot (CVE-2025-53773)
👉 Prompt injection exploit writes to Copilot config file & puts it into YOLO mode, and we get immediate RCE
🔥 Bypasses all user approvals
🛡️ Patch is out today. Update before someone else does it for you
embracethered.com/blog/posts/2...
👉 Prompt injection exploit writes to Copilot config file & puts it into YOLO mode, and we get immediate RCE
🔥 Bypasses all user approvals
🛡️ Patch is out today. Update before someone else does it for you
embracethered.com/blog/posts/2...
Episode 10
ZombAI Exploit with OpenHands: Prompt Injection To Remote Code Execution
embracethered.com/blog/posts/2...
ZombAI Exploit with OpenHands: Prompt Injection To Remote Code Execution
embracethered.com/blog/posts/2...
ZombAI Exploit with OpenHands: Prompt Injection To Remote Code Execution · Embrace The Red
When processing untrusted data OpenHands can be hijacked to run remote code (RCE) and connect to an attacker's command and control system
embracethered.com
August 11, 2025 at 8:21 PM
Episode 10
ZombAI Exploit with OpenHands: Prompt Injection To Remote Code Execution
embracethered.com/blog/posts/2...
ZombAI Exploit with OpenHands: Prompt Injection To Remote Code Execution
embracethered.com/blog/posts/2...
Episode 9
OpenHands and the Lethal Trifecta: How Prompt Injection Can Leak Access Tokens
embracethered.com/blog/posts/2...
OpenHands and the Lethal Trifecta: How Prompt Injection Can Leak Access Tokens
embracethered.com/blog/posts/2...
OpenHands and the Lethal Trifecta: How Prompt Injection Can Leak Access Tokens · Embrace The Red
OpenHands Coding Agent Data Exfiltration Threats
embracethered.com
August 11, 2025 at 8:21 PM
Episode 9
OpenHands and the Lethal Trifecta: How Prompt Injection Can Leak Access Tokens
embracethered.com/blog/posts/2...
OpenHands and the Lethal Trifecta: How Prompt Injection Can Leak Access Tokens
embracethered.com/blog/posts/2...
Episode 8
AI Kill Chain in Action: Devin AI Exposes Ports to the Internet with Prompt Injection
embracethered.com/blog/posts/2...
AI Kill Chain in Action: Devin AI Exposes Ports to the Internet with Prompt Injection
embracethered.com/blog/posts/2...
AI Kill Chain in Action: Devin AI Exposes Ports to the Internet with Prompt Injection · Embrace The Red
AI Kill Chain in Action: Devin AI Exposes Ports to the Internet with Prompt Injection
embracethered.com
August 11, 2025 at 8:20 PM
Episode 8
AI Kill Chain in Action: Devin AI Exposes Ports to the Internet with Prompt Injection
embracethered.com/blog/posts/2...
AI Kill Chain in Action: Devin AI Exposes Ports to the Internet with Prompt Injection
embracethered.com/blog/posts/2...
How Devin AI Can Leak Your Secrets via Multiple Means · Embrace The Red
Data gone, oops.
embracethered.com
August 11, 2025 at 8:19 PM
Episode 6
Spent $500 To Test Devin AI For Prompt Injection So That You Don't Have To
embracethered.com/blog/posts/2...
Spent $500 To Test Devin AI For Prompt Injection So That You Don't Have To
embracethered.com/blog/posts/2...
I Spent $500 To Test Devin AI For Prompt Injection So That You Don't Have To · Embrace The Red
I Paid $500 to test Devin AI for security vulnerabilities in April 2025. When processing untrusted data Devin can be hijacked to run remote code (RCE) and connect to an attacker's command and control ...
embracethered.com
August 11, 2025 at 8:18 PM
Episode 6
Spent $500 To Test Devin AI For Prompt Injection So That You Don't Have To
embracethered.com/blog/posts/2...
Spent $500 To Test Devin AI For Prompt Injection So That You Don't Have To
embracethered.com/blog/posts/2...
Episode 5
Amp Code: Arbitrary Command Execution via Prompt Injection Fixed
New novel TTP!
embracethered.com/blog/posts/2...
Amp Code: Arbitrary Command Execution via Prompt Injection Fixed
New novel TTP!
embracethered.com/blog/posts/2...
Amp Code: Arbitrary Command Execution via Prompt Injection Fixed · Embrace The Red
By automatically allowlisting bash commands or adding a fake MCP server, it was possible for prompt injection to achieve code execution on the developer's machine!
embracethered.com
August 11, 2025 at 8:17 PM
Episode 5
Amp Code: Arbitrary Command Execution via Prompt Injection Fixed
New novel TTP!
embracethered.com/blog/posts/2...
Amp Code: Arbitrary Command Execution via Prompt Injection Fixed
New novel TTP!
embracethered.com/blog/posts/2...