CrowdStrike catalogs new ways hackers hijack AI agents with hidden prompts

Prompt injection has become one of the defining security problems of the AI era, and CrowdStrike just made the map of it bigger. The company's AI security research team has published 18 new prompt injection techniques, pushing its public taxonomy past 200 distinct methods for manipulating the language, context, and data that AI systems trust. Prompt injection means sneaking instructions into the text or data a model reads so that it follows the attacker instead of the user.

The risk has grown sharply as organizations move from simple chatbots to AI agents that can crawl webpages, open file stores, and even run shell commands. When an agent ingests attacker controlled data, an instruction hidden inside that data can hijack it, a class of attack researchers call indirect prompt injection. IntelFusions has covered how scammers plant hidden instructions in websites to redirect AI agents, and how North Korean malware even tries to gaslight AI triage tools.

Five new tricks

Among the additions, CrowdStrike details five techniques that show how far past crude jailbreaks the field has moved:

What it means for defenders

CrowdStrike argues that securing AI now requires threat modeling every place model context can originate, including prompts, files, retrieval pipelines, agent memory, APIs, tool outputs, browser content, emails, and SaaS data. AI red teaming needs to move well beyond typing "ignore previous instructions," and detection has to account for composite attacks that chain several of these techniques at once. Above all, teams need runtime visibility into the prompts and responses flowing through their AI systems, since an instruction buried in retrieved data can look perfectly innocent until the moment it fires.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions