{“lastseen”:”2025-12-09T14:05:11″,”description”:”Prompt injection is shaping up to be one of the most stubborn problems in AI security, and the UK\u2019s National Cyber Security Centre (NCSC) has warned that it may never be \u201cfixed\u201d in the way SQL injection was.\\n\\nTwo years ago, the NCSC said prompt injection might turn out to be the \u201cSQL injection of the future.\u201d Apparently, they have come to realize it\u2019s even worse.\\n\\nPrompt injection works because AI models can\u2019t tell the difference between the app\u2019s instructions and the attacker\u2019s instructions, so they sometimes obey the wrong one.\\n\\nTo avoid this, AI providers set up their models with guardrails: tools that help developers stop agents from doing things they shouldn\u2019t, either intentionally or unintentionally. For example, if you tried to tell an agent to explain how to produce anthrax spores at scale, guardrails would ideally detect that request as undesirable and refuse to acknowledge it.\\n\\nGetting an AI to go outside those boundaries is often referred to as jailbreaking. **Guardrails** are the safety systems that try to keep AI models from saying or doing harmful things. **Jailbreaking** is when someone crafts one or more prompts to get around those safety systems and make the model do what it\u2019s not supposed to do. **Prompt injection** is a specific way of doing that: An attacker hides their own instructions inside user input or external content, so the model follows those hidden instructions instead of the original guardrails.\\n\\nThe danger grows when Large Language Models (LLMs), like ChatGPT, Claude or Gemini, stop being chatbots in a box and start acting as \u201cautonomous agents\u201d that can move money, read email, or change settings. If a model is wired into a bank\u2019s internal tools, HR systems, or developer pipelines, a successful prompt injection stops being an embarrassing answer and becomes a potential data breach or fraud incident.\\n\\nWe’ve already seen several methods of prompt injection emerge. For example, researchers found that posting embedded instructions on Reddit could potentially get agentic browsers to drain the user\u2019s bank account. Or attackers could use specially crafted dodgy documents to corrupt an AI. Even seemingly harmless images can be weaponized in prompt injection attacks.\\n\\n## Why we shouldn\u2019t compare prompt injection with SQL injection\\n\\nThe temptation to frame prompt injection as \u201cSQL injection for AI\u201d is understandable. Both are injection attacks that smuggle harmful instructions into something that should have been safe. But the NCSC stresses that this comparison is dangerous if it leads teams to assume that a similar one\u2011shot fix is around the corner.\\n\\nThe comparison to SQL injection attacks alone was enough to make me nervous. The first documented SQL injection exploit was in 1998 by cybersecurity researcher Jeff Forristal, and we still see them today, 27 years later. \\n\\nSQL injection became manageable because developers could draw a firm line between commands and untrusted input, and then enforce that line with libraries and frameworks. With LLMs, that line simply does not exist inside the model: Every token is fair game for interpretation as an instruction. That is why the NCSC believes prompt injection may never be totally mitigated and could drive a wave of data breaches as more systems plug LLMs into sensitive back\u2011ends.\\n\\nDoes this mean we have set up our AI models wrong? Maybe. Under the hood of an LLM, there\u2019s no distinction made between data or instructions; it simply predicts the most likely next token from the text so far. This can lead to \u201cconfused deputy attacks.\u201d\\n\\nThe NCSC warns that as more organizations bolt generative AI onto existing applications without designing for prompt injection from the start, the industry could see a surge of incidents similar to the SQL injection\u2011driven breaches of 10\u201415 years ago. Possibly even worse, because the possible failure modes are uncharted territory for now.\\n\\n## What can users do?\\n\\nThe NCSC provides advice for developers to reduce the risks of prompt injection. But how can we, as users, stay safe?\\n\\n * Take advice provided by AI agents with a grain of salt. Double-check what they\u2019re telling you, especially when it\u2019s important.\\n * Limit the powers you provide to agentic browsers or other agents. Don\u2019t let them handle large financial transactions or delete files. Take warning from this story where a developer found their entire D drive deleted.\\n * Only connect AI assistants to the minimum data and systems they truly need, and keep anything that would be catastrophic to lose out of their control.\\n * Treat AI\u2011driven workflows like any other exposed surface and log interactions so unusual behavior can be spotted and investigated.\\n\\n\\n\\n* * *\\n\\n**We don ‘t just report on threats\u2014we help safeguard your entire digital identity**\\n\\nCybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.”,”published”:”2025-12-09T13:34:02″,”modified”:”2025-12-09T13:34:02″,”type”:”malwarebytes”,”title”:”Prompt injection is a problem that may never be fixed, warns NCSC”,”source”:””,”references”:””,”id”:”MALWAREBYTES:C425997B44DE9F53CD24435855E4395E”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/12\/prompt-injection-is-a-problem-that-may-never-be-fixed-warns-ncsc”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-09T14:05:11″,”description”:”Prompt injection is shaping up to be one of the most stubborn problems in AI security, and the UK\u2019s National Cyber Security Centre (NCSC) has…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-29602","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n