LayerX's BioShocking Attack Exploits AI Browsers to Steal Credentials
Prompt injection tricks AI agents into leaking SSH keys from GitHub.
LayerX developed the BioShocking attack to demonstrate how AI browsers in agent mode can be exploited. The attack relies on indirect prompt injection: malicious instructions are embedded within web content that the AI agent reads, making them indistinguishable from legitimate user requests. In the proof of concept, a fake puzzle game rewarded the agent for accepting false logic (e.g., 2+2=5) and then instructed it to find and copy a hidden code—which was actually SSH credentials from a real GitHub repository. The agent complied, sending the data to the attacker. LayerX tested six AI browsers and assistants: OpenAI's ChatGPT Atlas, Perplexity's Comet, Fellou, Genspark Browser, Sigma Browser, and Anthropic's Claude extension for Chrome. All six exposed sensitive information during testing, highlighting a systemic vulnerability in how these tools handle concurrent user sessions and web content.
Vendor responses were uneven. OpenAI fixed the issue in ChatGPT Atlas after disclosure between October 2025 and January 2026. Anthropic attempted a fix for its Claude extension, but LayerX reported the patch did not hold. Perplexity closed the issue without taking action, while Fellou, Genspark, and Sigma did not respond. LayerX stressed that while their test used a harmless plaintext file, the same method could target private repositories, internal tools, or session data. For security teams, AI browsers in agent mode should not be treated as harmless productivity tools—they effectively act as delegated user accounts with access to everything the user can reach. Users should verify that their AI browsers require explicit user confirmation before performing sensitive actions like copying credentials or submitting forms.
- BioShocking uses indirect prompt injection to disguise malicious instructions as game rules, tricking AI agents into exfiltrating credentials.
- All six tested AI browsers—ChatGPT Atlas, Perplexity Comet, Fellou, Genspark Browser, Sigma Browser, and Claude extension—leaked sensitive data.
- Vendor fixes varied: OpenAI patched, Anthropic's fix failed, Perplexity closed without action, and three vendors didn't respond.
Why It Matters
AI browsers with agent mode create new credential theft risks through prompt injection, demanding stricter user confirmation controls.