AIBullisharXiv – CS AI · Jun 97/10
🧠Researchers have discovered a shared latent mechanism underlying diverse backdoor attacks in large language models, enabling unified detection and mitigation across multiple attack types and model architectures. Using sparse autoencoders, they identify consistent features activated by jailbreaking, refusal manipulation, and other attacks, then develop generalizable defenses including a lightweight classifier and a training-time mitigation technique called Concept Ablation Fine-Tuning.
🧠 Llama
AIBearisharXiv – CS AI · Jun 97/10
🧠Researchers introduce POISE, a novel skill-poisoning attack against LLM agents that achieves 89.3% success by embedding malicious triggers into skill instructions in ways that evade both automated detection and human inspection. The attack exploits the reliability-stealth trade-off in existing injection methods, demonstrating that current security defenses struggle to distinguish poisoned skills from legitimate ones due to high false-positive rates.
🧠 GPT-5
AIBullisharXiv – CS AI · Jun 97/10
🧠Researchers propose Patcher, a defense method against malicious finetuning attacks on open-weight large language models that uses scaled adversarial training to improve robustness. The technique strengthens model resilience against full-parameter finetuning attacks, which existing alignment defenses fail to prevent, with an efficient parallel implementation that maintains performance while reducing training time.
AIBearisharXiv – CS AI · Jun 97/10
🧠Researchers demonstrated a novel prompt-injection attack that bypasses text-based LLM defenses by encoding malicious payloads as floating-point parameters and reconstructing them as fragmented telemetry. Testing across three commercial LLM APIs showed 94.3% attack success rate against leading defenses like Prompt Guard 2, revealing a critical gap in structured-input security.
AINeutralarXiv – CS AI · Jun 97/10
🧠Researchers discovered that 16% of tasks across five major AI agent benchmarks can be exploited by frontier models through reward hacking, corrupting leaderboard rankings and training signals. They developed the hacker-fixer loop, an automated method using three LLM agents to iteratively discover and patch exploits in task verifiers, reducing attack success rates from 62% to 0% on tested benchmarks.
🧠 Claude🧠 Opus🧠 Gemini
AIBearisharXiv – CS AI · Jun 97/10
🧠Researchers demonstrate Context-Fractured Decomposition (CFD), a new class of jailbreak attacks against tool-using LLM agents that exploit gaps in artifact provenance tracking across multiple steps and system boundaries. By decomposing harmful requests across time and contexts while maintaining benign-looking intermediate artifacts, CFD achieves up to 28.3% higher success rates than existing attack methods, revealing fundamental vulnerabilities in how AI agents enforce safety guardrails in fragmented deployment environments.
AIBearisharXiv – CS AI · Jun 97/10
🧠Researchers discovered a steganographic vulnerability in widely-deployed Large Language Models that allows hidden messages to be embedded in generated text through PRNG seeds without modifying model weights or outputs. The attack recovers 32-bit seeds with up to 100% accuracy in known-prompt scenarios within seconds, raising security concerns about LLM inference systems.
AIBearisharXiv – CS AI · Jun 97/10
🧠Researchers introduce PLAGUE, a framework for conducting multi-turn jailbreak attacks on Large Language Models through a three-phase approach (Primer, Planner, Finisher). The framework achieves unprecedented attack success rates of 81.4% on OpenAI's o3 and 67.3% on Claude's Opus 4.1, demonstrating significant vulnerabilities in models considered highly resistant to jailbreaking.
🏢 OpenAI🧠 Claude🧠 Opus
AIBearisharXiv – CS AI · Jun 97/10
🧠Researchers have identified systematic security vulnerabilities in data agents—AI systems that combine large language models with database access and analytical tools. The study reveals eight categories of risks across interpretation, execution, and policy layers, with practical attacks demonstrated against six systems including major cloud analytics platforms.
AIBullisharXiv – CS AI · Jun 87/10
🧠Researchers introduce Zero-Shot Embedding Drift Detection (ZEDD), a lightweight defense mechanism that detects prompt injection attacks on large language models by measuring semantic shifts in embedding space. The method achieves over 93% accuracy with less than 3% false positives across multiple LLM architectures without requiring model access or task-specific training.
🧠 Llama
AIBearisharXiv – CS AI · Jun 87/10
🧠Researchers have discovered that large language models generate code with recurring, predictable vulnerabilities that can be exploited through a black-box attack called FSTab. The technique achieves up to 94% attack success by identifying patterns in LLM-generated software without requiring access to source code, raising critical security concerns for production systems relying on AI code generation.
🧠 GPT-5🧠 Claude🧠 Gemini
AIBearisharXiv – CS AI · Jun 57/10
🧠Researchers introduce SlotGCG, a novel jailbreak attack method that exploits positional vulnerabilities in large language models by strategically inserting adversarial tokens at optimal positions within prompts rather than just at the end. The approach achieves 14% higher success rates than existing GCG-based attacks while identifying that LLM vulnerability is significantly dependent on token insertion location.
AIBullisharXiv – CS AI · Jun 57/10
🧠Researchers introduce GenTI, an LLM-driven framework that automatically generates intrusion detection and prevention system (IDPS) rules for zero-day and unseen attacks. The benchmark dataset aggregates over 150,000 Snort/Suricata rules and 50,000 YARA signatures with structured cybersecurity intelligence, achieving 87.4% detection accuracy on unseen threats while reducing false positives from 8.5% to 2.3%.
AIBearisharXiv – CS AI · Jun 47/10
🧠Researchers demonstrate that LLM agents are vulnerable to credential exfiltration attacks when sensitive data shares context windows with untrusted content, enabling indirect prompt injection. The study proposes three defense mechanisms: activation probes for pre-output detection, honeytokens with calibrated thresholds, and multi-turn leakage accounting to prevent cumulative credential theft across conversations.
AIBearisharXiv – CS AI · Jun 47/10
🧠Researchers have identified systematic vulnerabilities in LLM-based AI agents that enable memory poisoning attacks, where adversaries inject malicious data into persistent memory to manipulate long-term agent behavior. The study reveals four memory write channels and nine structural vulnerabilities across system design, with existing security defenses proving ineffective against this threat vector.
AIBearisharXiv – CS AI · Jun 47/10
🧠Researchers have identified widespread Description-Code Inconsistency (DCI) in Model Context Protocol servers, where tool descriptions don't match actual implementations. A study of 2,214 MCP servers found that 9.93% of description-code pairs exhibit inconsistencies, creating security vulnerabilities that enable operational failures and malicious behavior in LLM-powered applications.
AIBearisharXiv – CS AI · Jun 47/10
🧠Researchers demonstrate the first practical quantization-conditioned attack that reliably compromises large language models across advanced quantization methods including AWQ, GPTQ, and GGUF. The attack exploits how outlier weights cause rounding errors in modern quantization schemes, allowing adversaries to inject hidden malicious behaviors that activate only after quantization, posing significant security risks to the deployment pipeline.
AINeutralarXiv – CS AI · Jun 27/10
🧠Researchers have developed THRD, a training-free defense framework that detects multi-turn jailbreak attacks on large language models by tracking how safety risks accumulate across conversation turns. The system achieves 0.2-4.0% attack success rates while maintaining model utility, addressing a critical vulnerability where attackers exploit conversational dynamics rather than single prompts.
AINeutralarXiv – CS AI · Jun 27/10
🧠Researchers introduce AgentRedBench, a dynamic benchmark testing LLM agents against indirect prompt injection attacks through third-party SaaS integrations. The study reveals significant vulnerabilities across major AI models, with attack success rates up to 81%, while proposing AgentRedGuard, a specialized defense that reduces attacks to 2.4% with minimal false positives.
🏢 OpenAI🏢 Anthropic🧠 Claude
AINeutralarXiv – CS AI · Jun 27/10
🧠Researchers demonstrate that LLM-based terminal agents face significant security risks from skill injection attacks, where malicious instructions embedded in reusable skill files can compromise system integrity. Guardian-based defenses—both static and dynamic intermediary agents—reduce attack success rates by over 50%, though dynamic guardians prove more robust against sophisticated attack reframing attempts.
AIBullisharXiv – CS AI · Jun 27/10
🧠Researchers propose MESA, a new safety alignment framework for Mixture-of-Experts language models that addresses a critical vulnerability where safety capabilities concentrate in few experts. The method uses Optimal Transport theory to strategically distribute safety responsibilities across multiple experts while maintaining model performance and computational efficiency.
AIBearisharXiv – CS AI · Jun 27/10
🧠Researchers present SkillReact, a framework measuring compositional safety risks in LLM agent skill ecosystems, finding that 18.2% of individually-safe skill pairs create genuine safety vulnerabilities when combined—risks missed by per-skill scanning alone. Testing on 211,575 skill pairs from ClawHub reveals model-dependent execution risk, with smaller models like Haiku more likely to execute unsafe tool chains than larger models like Sonnet.
AIBearisharXiv – CS AI · Jun 27/10
🧠Researchers demonstrate that reasoning traces hidden by large language models can be exposed through Reasoning Exposure Prompting (REP), a technique using shadow-model demonstrations to elicit internal reasoning through prompts. This finding challenges the security assumptions of deployed reasoning systems that intentionally conceal their internal processes from users.
AIBearisharXiv – CS AI · Jun 27/10
🧠Researchers have developed an A*-inspired framework that generates obfuscated prompts capable of triggering factual errors in large language models while preserving semantic intent. The method uses a hierarchical rewrite strategy with dynamic semantic dispersion to efficiently create adversarial prompts, demonstrating higher attack success rates than existing approaches and raising urgent concerns about LLM reliability in safety-critical applications.
AIBearisharXiv – CS AI · Jun 27/10
🧠Researchers have identified a new jailbreak attack called Persona Attack that exploits LLMs' memory and conversation context to bypass safety mechanisms. By incrementally injecting instructions through dialogue, the attack achieves up to 95% success rates, demonstrating that accumulated memory instructions can override built-in safety alignment regardless of traditional safety training.