In the recon stage, the attacker maps the system to plan their attack. Key questions an attacker is asking at this point include: What are the routes by which data I control can get into the AI model? What tools, Model Context Protocol (MCP) servers, or other functions does the application use that might be exploitable? What open source libraries does the application use? Where are system guardrails applied, and how do they work? What kinds of system memory does the application use? Recon is often interactive. Attackers will probe the system to observe errors and behavior. The more observ
Modeling Attacks on AI-Powered Apps with the AI Kill Chain Framework | NVIDIA Technical BlogThe hijack stage is where the attack becomes active. Malicious inputs, successfully placed in the poison stage, are ingested by the model, hijacking its output to serve attacker objectives. Common hijack patterns include: Attacker-controlled tool use: Forcing the model to call specific tools with attacker-defined parameters. Data exfiltration: Encoding sensitive data from the model’s context into outputs (e.g., URLs, CSS, file writes). Misinformation generation: Crafting responses that are deliberately false or misleading. Context-specific payloads: Triggering malicious behavior only in tar
Modeling Attacks on AI-Powered Apps with the AI Kill Chain Framework | NVIDIA Technical BlogIn this section, we’ll use the AI Kill Chain to analyze a simple RAG application and how it might be used to exfiltrate data. We’ll show how we can improve its security by attempting to interrupt the AI Kill Chain at each step. An attacker’s journey through the AI Kill Chain might look something like this: Recon: The attacker sees that three models are used: embedding, reranking, and an LLM. They examine open source documentation for known vulnerabilities, as well as user-facing system documentation to see what information is stored in the vector database. Through interaction with the system,
Modeling Attacks on AI-Powered Apps with the AI Kill Chain Framework | NVIDIA Technical BlogIn the poison stage, the attacker’s goal is to place malicious inputs into locations where they will ultimately be processed by the AI model. Two primary techniques dominate: Direct prompt injection: The attacker is the user, and provides inputs via normal user interactions. Impact is typically scoped to the attacker’s session but is useful for probing behaviors. Indirect prompt injection: The attacker poisons data that the application ingests on behalf of other users (e.g., RAG databases, shared documents). This is where impact scales. Text-based prompt infection is the most common technique
Modeling Attacks on AI-Powered Apps with the AI Kill Chain Framework | NVIDIA Technical Blog… What open source libraries does the application use? Where are system guardrails applied, and how do they work? What kinds of system memory does the application use? Recon is often interactive. Attackers will probe the system to observe errors and behavior. …
… Furthermore, the pre-installed Smart Feed app appears to be enabling these actions. Either way, it looks like the Smart Feed app detects when you open the Amazon app and quickly opens its own affiliate link in a browser. Are you seeing this sketchy behavior on your Moto phone? …
… Normal DLL loading behavior allowed attackers to sideload malicious code into the trusted process and hijack execution flow. An updated version of the FDMTP backdoor framework appears to power the payload. …
… All four repositories share the same fake author identity, the same modified files, and the same payload behavior, which makes them almost certainly the work of one actor using one compromised credential with org wide push access." This allowed the attackers to publish what appeared to be legitimat… …
I noticed something weird happening lately on my Razr 60 Ultra: when I tried to open the Amazon app, it would instead open the browser and send me to some sketchy looking url, which then redirects to amazon.com with an a…
Hi Reddit, We just wrapped up The Android Show | I/O Edition, and a core theme of the show was how we’re making your phone more helpful so that you can spend less time looking at it and more time living your life. To mak…
… Another is to outright buy access to the app from the developer. Yeah… And a third is to hack tools or apps that the developer uses. …
… Expected behavior. …
… Check common signs that indicate a hacking attempt on your device Protect your passwords Passkeys are essential You might think that you're safe from cybersecurity attacks thanks to standard multi-factor authentication or two-factor authentication like SMS or app-based codes, but these are starting… …
… When wallet applications are present, hijacks them by terminating their processes and replacing the legitimate core application file with a malicious one called app.asar downloaded from the command-and-control C2 server. …
… This change was discovered by Aaron Perris during the iOS 26.5 beta cycle: As his post says, this behavior with Apple’s ‘Magic’ accessories mirrors what happens when using a Mac. …
… This change was discovered by Aaron Perris in iOS 26.5 beta 1: As his post says, this behavior with Apple’s ‘Magic’ accessories mirrors what happens when using a Mac. …