BioShocking Attack Steals Credentials from Six AI Browsers

Security firm LayerX has demonstrated a new attack method that successfully compromised six AI-powered browsers and assistants, including OpenAI's ChatGPT Atlas, Perplexity's Comet, and Anthropic's Claude browser extension. The technique, dubbed BioShocking, exploits how AI agents process web content to trick them into stealing user credentials.

The vulnerability targets AI browsers operating in agent mode—systems designed to autonomously navigate websites, click buttons, and interact with services where users are already authenticated. This autonomous access, while convenient, creates a security gap that attackers can exploit through what researchers call indirect prompt injection.

How the attack exploits AI agent trust

The BioShocking technique centers on a carefully crafted web page disguised as a logic puzzle. The page presents itself with a dystopian theme that rewards deliberately incorrect answers, such as accepting that 2 + 2 = 5. Once the AI agent accepts this inverted logic as part of the game's rules, it begins following the puzzle's instructions rather than its built-in safety protocols.

The core vulnerability lies in how AI agents process information. Web page content and user instructions arrive as a unified text stream, making it difficult for the agent to distinguish between legitimate content and embedded malicious commands. When the puzzle's final step instructs the agent to retrieve user credentials, none of the six tested systems recognized this as a prohibited action.

In LayerX's demonstration, the attack directed agents to a victim's work GitHub repository, where they extracted SSH login credentials and transmitted them to the attacker. The researchers used a benign plaintext file for testing, but the same method could target any resource accessible in the user's authenticated session—including open browser tabs, signed-in accounts, and internal corporate tools.

Why it matters

AI agents with autonomous browsing capabilities represent a fundamental shift in how users interact with web services, but they also create a new attack surface that extends beyond traditional phishing. When an AI agent has access to authenticated sessions, a successful exploit doesn't just compromise one account—it potentially exposes every system the user can reach. For enterprises deploying AI assistants, this means a single compromised agent could access internal tools, customer data, and proprietary systems without triggering conventional security alerts.

Vendor responses and mitigation strategies

LayerX reported the vulnerability to affected vendors between October 2025 and January 2026, receiving inconsistent responses. OpenAI addressed the issue in ChatGPT Atlas, while Perplexity closed the report without implementing fixes. Fellou, Genspark, and Sigma did not respond to the disclosure. Anthropic attempted to patch its Claude extension, though LayerX reports the fix proved insufficient.

The research team recommends that AI browser developers implement explicit user consent prompts before agents access authenticated resources. A simple confirmation like "I'm about to copy data from your GitHub repository. Continue?" would interrupt the attack chain. They also advocate for systems that detect when web pages attempt to override normal operational rules and for user-configurable boundaries on agent access.

For users and security teams, the guidance is straightforward: treat agent mode as a privileged access level. Only enable it when necessary, limit what accounts remain signed in during agent sessions, and revoke access immediately after completing tasks. Enterprise security teams should apply the principle of least privilege, granting AI agents only the minimum access required for specific functions rather than blanket permissions across all user-accessible systems.

These findings were first reported by LayerX and detailed on The Hacker News.