Prompt Injection Attacks in 2025: When Your Favorite AI Chatbot Listens to the Wrong Instructions

Your AI chatbot just turned against you – thanks to prompt injection – an attack that exploits AI’s inability to differentiate your commands from an attacker’s. 

In February 2025, security researcher Johann Rehberger demonstrated how Google’s Gemini Advanced could be tricked into storing false data.  

By using a technique called delayed tool invocation, Rehberger got Gemini to “remember” him as a 102-year-old flat-earther who likes ice cream and cookies and lives in the Matrix.  

The demo was almost laughably simple: First, Rehberger uploaded a document with hidden prompts and asked Gemini to summarize it. Inside the document, he “hid” instructions for Gemini to store fake details about him in long-term memory when he typed in trigger words like “yes,” “no,” or “sure.”  

The result? Planted memories that train Gemini to continuously act on the false information – as long as Rehberger continued the conversation. 

But here’s what makes this more than a clever hack: It’s merely the opening act in the evolution of prompt injection, in what researchers are now calling “Prompt Injection 2.0.”  

What are prompt injection attacks? 

In a nutshell, prompt injection attacks trick AI chatbots into ignoring original, trusted instructions to perform malicious actions. 

The technique Rehberger demonstrated – delayed tool invocation – is an advanced form of indirect prompt injection. 

In indirect prompt injection, the AI chatbot carries out malicious instructions contained in an external document like an email or PDF (separate from your direct input).  

Delayed tool invocation goes a step further and adds a “delay” in the form of trigger words. For example, Rehberger embedded instructions (invisible to the naked eye) that told Gemini to store false information about him if he typed in “yes,” “no,” or “sure” in a future conversation. 

Although Gemini does send notifications when new data is added to memory, users may fail to catch anything suspicious. This is because prompt injections hide harmful commands in normal-looking PDFs, calendar invites, or emails. For instance, Gemini may execute instructions within a PDF to send summaries of your conversations to an attacker-controlled email. 

This means attackers can potentially exfiltrate sensitive personal details or business data you asked Gemini to analyze. 

Google has assessed the impact on users as low, however. Here’s why: You still need to accept and open a malicious document from an untrusted source for the attack to “work.” Essentially, what we have here is a sophisticated social engineering attack. 

To protect yourself, avoid interacting with documents from untrusted sources - the same advice we give about not clicking untrusted links or attachments. 

When Preamble, Inc. first documented prompt injection attacks in May 2022, the veteran-led AI security company revealed an alarming truth: AI systems can’t reliably tell the difference between instructions they’re supposed to follow and instructions an attacker wants them to follow.  

Both get processed the same way because both look like helpful requests to AI. 

Three years later, that vulnerability hasn’t been fixed. Instead, it’s been weaponized. 

Preamble is now reporting that attackers are creating prompts to generate JavaScript payloads that bypass your Content Security Policy filters.  

They’re using natural language to embed harmful instructions inside data returned by your APIs.  

And they’re creating self-replicating AI worms (like the Morris-II) that spread between connected AI agents. 

If you’re using AI to run your life, then every document you upload is a potential attack vector. And if you’re drafting contracts, analyzing financial data, and managing customer relationships with AI agents, your XSS filters and web application firewall have limited capacity to protect your business against “Prompt Injection 2.0.” 

Thus, building the right defense layers is critical to preventing unauthorized access and identity theft. And if you’re a business, it’s also critical to maintaining customer trust and brand reputation.  

Below, we pull back the curtain on what’s at stake and how you can protect yourself. 

What are the different types of prompt injection attacks? 

Preamble has identified the three key elements that define how “Prompt Injection 2.0” works: 

• How they get into your system (delivery vector) 

• What they do once they get there (attack modality) 

• How they persist or spread (propagation behavior) 

Here's what you need to know about each attack type and more importantly, which ones pose the greatest risk to your specific use case. 

How attacks get into your system (Delivery vector)

What attacks do once inside your system (Attack modality)

How attacks persist and spread (Propagation behavior)

What are the risks of prompt injections?  

The risks of prompt injections include data exfiltration, account takeovers, full system compromise, and persistent malware infections. 

The most dangerous attacks combine all three elements described in the previous section. For example: 

• Delivery vector: indirect prompt injection through a PDF customer upload 

• Attack modality: hybrid XSS + SQL injection to execute malicious code 

• Propagation: autonomous  

This combination means that one malicious document uploaded by one customer could compromise your entire AI infrastructure, without you seeing a single red flag. 

When you look at the “Your Risk” columns above, you may notice many that are marked “HIGH” or “CRITICAL.”  

Every critical risk represents an attack vector that could lead to: 

• Exfiltration of customer data, payment details, trade secrets, or intellectual property 

• Account takeovers using your organization’s AI login credentials 

• Malicious code executing on your systems with your AI agent’s permission 

• Persistent infections that survive reboots and updates 

How to avoid prompt injections 

The only way to avoid prompt injections is to stop using AI chatbots altogether. 

Since AI has become an integral part of modern living, this may be nearly impossible. So, your best bet is to reduce your exposure by changing how you interact with AI. 

Think of AI like public Wi-Fi: 

• Never upload documents from untrusted sources to AI for summarization. That PDF someone sent you may contain invisible instructions that could expose your entire chat history. Remember that the Gemini attack worked through document upload. 

• Treat AI-generated advice about sensitive topics with a (big) grain of salt. If your AI chatbot suddenly advises you to move money to a specific investment or try a viral pop remedy, take a deep breath. It could be a prompt injection.  

Today, one in five adults use AI for health-related advice. But with the advent of prompt injection, medical disinformation has reached levels as high as 37.5%. Ultimately, it’s best to avoid following AI advice on YMYL (your-money-or-your-life) issues. 

• Never trust AI to make authentication or authorization decisions. If you’re using AI tools that integrate with your accounts (banking and email), refrain from letting them make purchase decisions or changes on your behalf.  

Remember: The 2023 WebPilot attack was a form of cross-plugin CSRF + prompt injection.  

It tricked WebPilot into searching for flights and launching the Expedia plugin without explicit user permission – after summarizing a Tom’s Hardware article on a completely unrelated subject. 

• Disable or carefully vet AI memory features. Gemini Advance’s long-term memory features are powerful, but also a persistent attack vector. If an attacker can inject false memories (as shown by Rehberger in Feb 2025), this corrupted info can impact responses from your AI chatbot.  

How to protect against prompt injections  

If you’re running a business that uses AI, you know that every AI tool is a potential entry point for attackers. 

To protect your business, a defense-in-depth approach is your best way forward. Below are six (6) top strategies that will put you in the driver’s seat. 

#1 Audit every AI tool your team uses 

Make a list that includes: 

• Email automation tools 

• Meeting assistants that record and summarize conversations 

• AI coding assistants 

• Customer service chatbots 

• Data analysis tools that query your databases 

For each tool, identify what permissions it has and what data it can access. Ask: Could a prompt injection in this tool lead to system compromise or data exfiltration?  

If all of this seems overwhelming, LastPass can help. SaaS Monitoring + SaaS Protect lets you see who’s logging in and what they’re accessing.  

With just a few clicks, you can activate this functionality in your browser to get visibility into your entire SaaS footprint. 

A key benefit is the ability to block risky AI apps to limit the points of entry attackers can exploit. 

You can unlock SaaS Monitoring + SaaS Protect with a free Business Max trial today (no credit card required).  

Read how Axxor is using LastPass SaaS Monitoring + Protect to build a culture of security. 

“People are experimenting with AI tools like OpenAI and Canva. We don’t want to block innovation, but we do want to guide it safely. LastPass is smart, secure, and it just works.”

Wout Zwiep, process engineer at Axxor, a global leader in honeycomb paper manufacturing serving industries across five continents

#2 Implement least privilege access for AI systems 

In September 2025, researchers implementing the AIShellJack testing framework found that AI coding editors with system privileges could be manipulated to: 

• Execute unauthorized commands (execution rates 75-88%) 

• Achieve privilege execution (71.5% attack success rate) 

• Extract credentials from files (68.2% attack success rate) 

The research highlights how attackers can poison project templates and third-party libraries with attack payloads.  

When developers import these external dependencies into their AI coding editors, the AI processes malicious instructions as part of its operations. 

This is where least privilege access comes in. Restricting the ability to add or import dependencies to authorized developers means fewer chances for malicious code to slip in unnoticed. 

Ultimately, having strict access policies means all actions are traceable. If harmful instructions are found later, it’s easier to track how they entered. 

#3 Never allow AI systems to auto-execute commands without human review 

Cursor’s auto-run mode are productivity enhancers for developers who use the AI-assisted code editor. However, it comes with risks. In the AIShellJack study, researchers tested scenarios where developers enabled auto-execution for convenience. 

Here's what they found: The attack success rate for prompt injections in auto-execution mode ranged from 66.9% to 84.1%. 

Ultimately, human oversight is vital to verifying the intent, accuracy, and safety of AI-generated code. 

#4 Isolate your AI architecture according to the CaMel (CApabilities for MachinE Learning) framework 

In April 2025, Google DeepMind introduced the CaMel framework, which fundamentally treats LLMs as untrusted elements within a secure infrastructure.  

Basically, the framework rests on a dual-LLM approach, where there’s explicit separation between a Privileged LLM (which manages trusted commands) and a Quarantined LLM. 

The second has no access to memory and can’t take any actions, thus preventing it from being exploited by attackers. 

In 2025, the OWASP Gen AI Security Project has listed prompt injection as the #1 security risk for LLM applications. With its dual-LLM approach, CaMel fits into OWASP’s mission to balance access control with practical AI usability for both developers and users. 

#5 Layer on Preamble’s patented mitigation strategies  

Preamble – the company that first documented prompt injection in 2022 – has developed several mitigation strategies. 

• Token-level data tagging: Preamble uses invisible “name tags” to tell AI which parts come from trusted sources, and which come from outside users. 

• Classifier-based input sanitization: Second, Preamble uses classifiers to look for patterns associated with prompt injection attacks and filter them out. 

• Incompatible token sets: This strategy uses different coding styles (token sets) to handle trusted and untrusted commands, so that hidden, dangerous instructions can’t confuse the AI. 

#6 Select the right AI models 

Not all AI models are equally vulnerable. According to the AIShellJack researchers, GitHub Copilot showed significantly better resistance to attacks than Cursor: 

• Cursor with Claude 4: 69.1% attack success rate 

• Cursor with Gemini 2.5 Pro: 76.8% attack success rate 

• GitHub Copilot with Claude 4: 52.2% attack success rate 

• GitHub Copilot with Gemini 2.5 Pro: 41.1% attack success rate 

When evaluating AI vendors, ask: 

• What prompt injection defenses have you implemented? 

• Do you use data tagging or other techniques to separate trusted instructions from malicious prompts? 

• What is your documented track record against known prompt injection attacks? 

That said, here’s the cold, hard truth: Choosing the right models is critical. But alone, it’s insufficient. 

The AIShellJack study shows that 277 out of 314 test cases successfully embedded malicious system calls into code files, even when direct terminal access was restricted.  

So, a layered defense is essential to protect against Prompt Injection 2.0. In summary: 

• Get visibility into your AI tools with SaaS Monitoring + Protect 

• Implement least privilege access for importing project dependencies 

• Use the CaMel framework to compartmentalize your AI infrastructure  

• Implement human-in-the-loop controls for critical decisions 

• Implement validation and Preamble’s classifier-based sanitization for all inputs 

• Choose AI models that are the most resistant against prompt injection attacks 

Beyond this, be sure to: 

• Use OWASP’s prompt injection prevention checklist to ensure you’ve implemented the necessary defenses. 

• Conduct ongoing assessments or penetration testing to identify new vulnerabilities. 

• Read the 2025 LLM risk report from  OWASP Gen AI Security Project to learn more about prompt injections and other LLM-based threats. 

Sources 

https://arstechnica.com/security/2025/02/new-hack-uses-prompt-injection-to-corrupt-geminis-long-term-memory/

https://www.infoq.com/news/2025/02/gemini-long-term-memory-attack/

https://arxiv.org/html/2509.22040v1

https://arxiv.org/html/2507.13169v1

https://arxiv.org/html/2505.14534v1

https://embracethered.com/blog/posts/2025/cross-agent-privilege-escalation-agents-that-free-each-other/

https://nsfocusglobal.com/prompt-word-injection-an-analysis-of-recent-llm-security-incidents/

https://www.paloaltonetworks.com/cyberpedia/what-is-a-prompt-injection-attack

https://www.trendmicro.com/en_us/research/25/a/invisible-prompt-injection-secure-ai.html

https://www.trendmicro.com/en_us/research/24/l/genai-prompt-injection-attack-threat.html

https://www.techtarget.com/searchsecurity/tip/Types-of-prompt-injection-attacks-and-how-they-work

https://www.eejournal.com/industry_news/preamble-unveils-prompt-injection-2-0-research-and-releases-open-source-ai-security-testing-platform/

https://www.tomshardware.com/news/chatgpt-plugins-prompt-injection

https://cheatsheetseries.owasp.org/cheatsheets/LLM_Prompt_Injection_Prevention_Cheat_Sheet.html