BioShocking Exploit Steals SSH Keys From 6 Agentic Browsers
The BioShocking exploit uses indirect prompt injection to bypass safety guardrails in six agentic AI browsers, enabling unauthorized access to user credentials.
On June 30, 2026, LayerX researchers disclosed a novel indirect prompt injection attack targeting agentic AI browsers in a detailed security report. Dubbed “BioShocking,” the exploit tricks AI agents into ignoring their safety guardrails by framing malicious actions as part of a fictional game scenario. The vulnerability allows attackers to extract authenticated user data, such as SSH credentials, across different browser tabs.
Exploiting Rule Dissociation
The attack relies on manipulating the agent’s perception of context. A user navigates their AI browser to an attacker-controlled webpage hosting a themed puzzle. The puzzle conditions the agent to accept false logic, rewarding it for agreeing to statements like “two plus two equals five.” By establishing a fictional ruleset, the exploit successfully dissociates the agent from its standard safety training.
Once the agent accepts this false reality, the attacker issues a final game objective. In the proof-of-concept, the researchers instructed the conditioned agent to visit a private GitHub repository, copy the user’s SSH credentials, and exfiltrate them to an external endpoint. The agents executed the credential theft without triggering internal safety flags, viewing the action as a required step in the puzzle.
While the proof-of-concept targeted GitHub, the attack path is broad. The exploit can interact with any resource the user is currently authenticated into, exposing web-based password managers, email accounts, and cloud infrastructure consoles to automated extraction.
Vendor Scope and Remediation
LayerX tested the exploit against six major agentic browsers between October 2025 and January 2026. All six were vulnerable at the time of discovery: ChatGPT Atlas, Perplexity’s Comet, Anthropic’s Claude Chrome plugin, Genspark Browser, Sigma Browser, and Fellou.
Vendor remediation has been uneven across the ecosystem. OpenAI successfully deployed a patch for ChatGPT Atlas prior to public disclosure. Anthropic attempted a fix for the Claude plugin, but researchers confirmed the exploit still bypassed the new protections. Perplexity closed the vulnerability report without taking action, and the remaining three vendors did not respond to the initial disclosure.
The vulnerability highlights a structural flaw in current agent architectures that complicates how teams evaluate and test AI agents. Large language models fundamentally struggle to separate operational instructions from untrusted data context. When you build advanced AI agents, granting them access to authenticated browser sessions effectively gives them local administrator privileges over web resources.
If you deploy or use agentic browsers, you must treat them as highly privileged execution environments. Implement strict execution boundaries by requiring manual user confirmation for any cross-domain navigation, data extraction, or outbound network requests.
Get Insanely Good at AI
The book for developers who want to understand how AI actually works. LLMs, prompt engineering, RAG, AI agents, and production systems.
Keep Reading
Why AI Hallucinates and How to Reduce It
AI hallucination isn't a bug you can patch. It's a consequence of how language models work. Here's what causes it, how to measure it, and what actually reduces it.
Protestware in jqwik 1.10.0 Sabotages Vibe Coding Agents
The maintainer of the Java testing library jqwik intentionally shipped a hidden prompt injection in version 1.10.0 to sabotage AI coding assistants.
Multi-Turn Attacks Erode Safety Guardrails in 15 AI Models
Cisco researchers reveal that multi-turn prompt attacks dramatically increase vulnerability success rates across 15 proprietary AI models, including GPT-5.4.
OpenAI's New Bounty Targets Prompt Injection and Agent Abuse
OpenAI’s public Safety Bug Bounty rewards reports on agentic abuse, prompt injection, data exfiltration, and account integrity risks.
Benign GitHub Repos Hijack Claude Code via DNS TXT Records
Mozilla researchers demonstrated an attack vector where AI coding agents execute malicious payloads hidden in DNS records during autonomous error recovery.