What happened
Security researchers at LayerX have disclosed a new attack technique called BioShocking that exploits AI-powered browsers and assistants operating in agent mode. The researchers found that six AI tools, including OpenAI’s ChatGPT Atlas, Perplexity’s Comet, and Anthropic’s Claude browser extension, could be manipulated into retrieving sensitive credentials from authenticated sessions and sending them to an attacker.
The attack relies on indirect prompt injection, where malicious instructions are hidden inside seemingly harmless webpage content. Because AI agents process webpage text and user instructions together, they can struggle to distinguish legitimate requests from embedded attacker commands.
In LayerX’s demonstration, a victim was directed to a malicious webpage designed as a puzzle. The game intentionally rewarded incorrect answers, conditioning the AI agent to ignore its normal safeguards. The final instruction asked the agent to retrieve SSH credentials from the user’s authenticated GitHub repository and transmit them externally. The AI agent complied without recognizing the request as malicious.
LayerX reported the vulnerabilities to affected vendors between October 2025 and January 2026. According to the researchers, OpenAI addressed the issue in ChatGPT Atlas, while Perplexity closed the report without implementing a fix. Anthropic attempted a mitigation for its Claude extension, but LayerX said the protection remained insufficient.
Who is affected
Organizations experimenting with AI browsers and autonomous AI assistants are the most exposed. Employees who use agent mode while logged into corporate applications, developer platforms, cloud services, or internal business systems could unintentionally grant AI agents access to sensitive company data.
Development teams are particularly at risk because AI agents may access source code repositories, SSH keys, API credentials, documentation, and other confidential resources already available through authenticated browser sessions.
Why CISOs should care
BioShocking highlights a growing security challenge as AI agents become more deeply integrated into enterprise workflows. Unlike traditional phishing attacks that target human users, this technique targets the AI assistant itself, convincing it to perform unauthorized actions using the user’s existing permissions.
The findings reinforce that AI agents should be treated as privileged identities within enterprise environments. If an AI browser can access corporate systems, attackers may be able to abuse that access through carefully crafted prompt injection attacks without exploiting software vulnerabilities.
As organizations accelerate AI adoption, security teams will need governance policies, access controls, and monitoring specifically designed for autonomous AI agents.
3 practical actions
- Limit AI agent access using least-privilege principles and avoid leaving AI browsers connected to sensitive corporate resources longer than necessary.
- Require user confirmation before AI agents retrieve information from authenticated applications, repositories, or internal systems.
- Update AI usage policies and educate employees about the risks of prompt injection attacks against AI browsers operating in agent mode.
