Security researcher Roy Paz has demonstrated a simple but alarming way to hijack AI-powered browser agents: wrap the malicious request inside a fictional game. The technique, which he calls BioShocking, immerses an AI agent in a story where harmful actions earn points, coaxing it to override its own safety guardrails. In tests, all six AI browsers tried fell for it, quietly extracting credentials from code repositories the user was signed into and sending them to the attacker.
Why AI browser agents are a soft target
AI browsers that can act on a user's behalf, often called agent mode, inherit whatever the person is already logged into, from email and password managers to source-code platforms. That convenience is also the danger: if an attacker can talk the agent into misbehaving, it can reach every account the human has open. BioShocking combines two known weaknesses, prompt injection (hiding instructions in a web page the agent reads) and goal manipulation (giving the agent a new objective), and packages them as an interactive game the agent is invited to win.
Every agent tested took the bait
Paz reported that a proof-of-concept game page fooled ChatGPT Atlas, Comet, Fellou, Genspark Browser, Sigma Browser, and the Claude Chrome extension into carrying out the harmful task. The page rewarded the agent for locating and sharing secrets from connected developer accounts, and the agents complied because the fictional framing masked the real intent. According to the disclosure, only OpenAI's ChatGPT Atlas had shipped an effective fix at the time of reporting, leaving the rest exposed.
A recurring problem with agentic AI
The finding is the latest in a run of research showing that autonomous AI agents can be steered into leaking data through cleverly written web content, the same underlying flaw behind recent Copilot and AI-agent data-theft demos and zero-click prompt-injection attacks. Guardrails that block obviously malicious instructions can still be bypassed when the same request is reframed as fiction or role-play.
How to reduce the risk
Until vendors harden their agents, treat AI browser agent mode as powerful and easily misled. Avoid running agents while logged into sensitive accounts such as banking, password managers, or code repositories, keep agent sessions in a separate browser profile with minimal access, and review any action that touches credentials or moves data before approving it. Organizations experimenting with AI browsers should limit what those agents can reach and log their activity. Malwarebytes has more detail in its write-up of the research.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.