Tag: prompt-injection
-
Simon Willison’s Weblog: 100% effective
Source URL: https://simonwillison.net/2025/Jun/16/100-percent/#atom-everything Source: Simon Willison’s Weblog Title: 100% effective Feedly Summary: Every time I get into an online conversation about prompt injection it’s inevitable that someone will argue that a mitigation which works 99% of the time is still worthwhile because there’s no such thing as a security fix that is 100% guaranteed to…
-
Simon Willison’s Weblog: The lethal trifecta for AI agents: private data, untrusted content, and external communication
Source URL: https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/#atom-everything Source: Simon Willison’s Weblog Title: The lethal trifecta for AI agents: private data, untrusted content, and external communication Feedly Summary: If you are a user of LLM systems that use tools (you can call them “AI agents" if you like) it is critically important that you understand the risk of combining tools…
-
Simon Willison’s Weblog: An Introduction to Google’s Approach to AI Agent Security
Source URL: https://simonwillison.net/2025/Jun/15/ai-agent-security/#atom-everything Source: Simon Willison’s Weblog Title: An Introduction to Google’s Approach to AI Agent Security Feedly Summary: Here’s another new paper on AI agent security: An Introduction to Google’s Approach to AI Agent Security, by Santiago Díaz, Christoph Kern, and Kara Olive. (I wrote about a different recent paper, Design Patterns for Securing…
-
Google Online Security Blog: Mitigating prompt injection attacks with a layered defense strategy
Source URL: http://security.googleblog.com/2025/06/mitigating-prompt-injection-attacks.html Source: Google Online Security Blog Title: Mitigating prompt injection attacks with a layered defense strategy Feedly Summary: AI Summary and Description: Yes **Summary:** The text discusses emerging security threats associated with generative AI, particularly focusing on indirect prompt injections that manipulate AI systems through hidden malicious instructions. Google outlines its layered security…
-
Simon Willison’s Weblog: Design Patterns for Securing LLM Agents against Prompt Injections
Source URL: https://simonwillison.net/2025/Jun/13/prompt-injection-design-patterns/#atom-everything Source: Simon Willison’s Weblog Title: Design Patterns for Securing LLM Agents against Prompt Injections Feedly Summary: This a new paper by 11 authors from organizations including IBM, Invariant Labs, ETH Zurich, Google and Microsoft is an excellent addition to the literature on prompt injection and LLM security. In this work, we describe…
-
Simon Willison’s Weblog: Breaking down ‘EchoLeak’, the First Zero-Click AI Vulnerability Enabling Data Exfiltration from Microsoft 365 Copilot
Source URL: https://simonwillison.net/2025/Jun/11/echoleak/ Source: Simon Willison’s Weblog Title: Breaking down ‘EchoLeak’, the First Zero-Click AI Vulnerability Enabling Data Exfiltration from Microsoft 365 Copilot Feedly Summary: Breaking down ‘EchoLeak’, the First Zero-Click AI Vulnerability Enabling Data Exfiltration from Microsoft 365 Copilot Aim Labs reported CVE-2025-32711 against Microsoft 365 Copilot back in January, and the fix is…
-
Simon Willison’s Weblog: Codex agent internet access
Source URL: https://simonwillison.net/2025/Jun/3/codex-agent-internet-access/ Source: Simon Willison’s Weblog Title: Codex agent internet access Feedly Summary: Codex agent internet access Sam Altman, just now: codex gets access to the internet today! it is off by default and there are complex tradeoffs; people should read about the risks carefully and use when it makes sense. This is the…
-
Simon Willison’s Weblog: GitHub MCP Exploited: Accessing private repositories via MCP
Source URL: https://simonwillison.net/2025/May/26/github-mcp-exploited/#atom-everything Source: Simon Willison’s Weblog Title: GitHub MCP Exploited: Accessing private repositories via MCP Feedly Summary: GitHub MCP Exploited: Accessing private repositories via MCP GitHub’s official MCP server grants LLMs a whole host of new abilities, including being able to read and issues in repositories the user has access to and submit new…
-
Simon Willison’s Weblog: System Card: Claude Opus 4 & Claude Sonnet 4
Source URL: https://simonwillison.net/2025/May/25/claude-4-system-card/#atom-everything Source: Simon Willison’s Weblog Title: System Card: Claude Opus 4 & Claude Sonnet 4 Feedly Summary: System Card: Claude Opus 4 & Claude Sonnet 4 Direct link to a PDF on Anthropic’s CDN because they don’t appear to have a landing page anywhere for this document. Anthropic’s system cards are always worth…
-
Simon Willison’s Weblog: Remote Prompt Injection in GitLab Duo Leads to Source Code Theft
Source URL: https://simonwillison.net/2025/May/23/remote-prompt-injection-in-gitlab-duo/ Source: Simon Willison’s Weblog Title: Remote Prompt Injection in GitLab Duo Leads to Source Code Theft Feedly Summary: Remote Prompt Injection in GitLab Duo Leads to Source Code Theft Yet another example of the classic Markdown image exfiltration attack, this time affecting GitLab Duo – GitLab’s chatbot. Omer Mayraz reports on how…