New BioShocking Attack Tricks AI Browsers

New BioShocking Attack Tricks AI Browsers Into Leaking Credentials

New BioShocking Attack Tricks AI Browsers Into Leaking Credentials

Image generated via Google’s Nano Banana

LayerX found that BioShocking could trick AI browsers into leaking credentials by disguising malicious prompts as game rules.

Written By
Kezia Jungco
Kezia Jungco
Jul 1, 2026

AI browsers promise to help users get things done faster. BioShocking shows how the same convenience can lead to a credential leak.

Security firm LayerX found that attackers could trick six AI browsers and assistants into copying sensitive user data and sending it away by convincing the agents they were playing a game. The attack matters because AI browsers in agent mode can click, read, and act inside accounts where users already have active sessions, creating a new access risk when guardrails fail.

The bigger problem is not just that attackers can fool an AI agent. The agent may also have access to work accounts, repositories, open tabs, internal tools, and credentials while reading instructions from a malicious web page.

How the attack works

The Hacker News reported that LayerX developed BioShocking and tested it against six AI browsers and assistants, including OpenAI’s ChatGPT Atlas, Perplexity’s Comet, and Anthropic’s Claude browser extension.

The attack relies on indirect prompt injection, where malicious instructions hide inside web content the AI agent reads. The web page and the user’s request can appear to the agent as a single stream of text, making it harder to distinguish a legitimate task from a hostile instruction.

In LayerX’s proof of concept, the malicious page presented itself as a puzzle game.

The “rules” rewarded wrong answers, such as accepting that 2 + 2 = 5. Once the agent accepted that false game logic, it followed the next instruction as part of the game instead of treating it as a security risk.

The final task asked the agent to find and copy a hidden code. In the test, that “code” came from sensitive data in a work GitHub repository. The agent copied SSH credentials and sent them back to the attacker.

Agent mode raises the stakes

Android Authority said that LayerX tested ChatGPT Atlas, Perplexity Comet, Fellou, Genspark Browser, Sigma Browser, and Anthropic’s Claude extension for Chrome. According to LayerX, all six exposed sensitive information during testing.

The risk comes from what AI browsers can do. A regular browser mostly waits for the user to click, copy, type, or submit information. An AI browser in agent mode can do those things on the user’s behalf.

That makes the browser more useful, but also more dangerous when it trusts the wrong context.

If the user is signed in to GitHub, email, cloud dashboards, internal portals, or other work apps, the agent may access those places during the session.

For security teams, this means an AI browser should not look like a harmless productivity add-on. In agent mode, it can behave more like a delegated user account with access to whatever the user can reach.

Advertisement

Must-read security coverage

Vendors gave uneven responses

Infosecurity Magazine noted that LayerX disclosed the issue to vendors between October 2025 and January 2026. OpenAI fixed the issue in ChatGPT Atlas, while Anthropic attempted a fix for its Claude extension, though LayerX said the patch did not hold.

Perplexity reportedly closed the issue without taking action, while Fellou, Genspark, and Sigma did not respond, according to LayerX. Infosecurity Magazine said it had reached out to the vendors individually.

LayerX stressed that its test used a harmless plaintext file, but the same method could point an agent to private repositories, internal tools, session data, or other sensitive pages.

The risk becomes more serious when the agent can reach real accounts. The same prompt-injection trick could turn a fake puzzle into data theft.

What users should check before using agent mode

LayerX recommended that AI browser makers require user confirmation before an agent reads from logged-in accounts. A prompt asking whether the agent should copy data from a GitHub repository, for example, could break the attack chain before credentials leave the account.

The company also called for agents to detect when a page tries to rewrite normal rules and for users to set hard limits on what an agent can access. Those controls would help separate a harmless web task from a request that touches private or work data.

For individual users, the safest approach is to limit what the browser can see before turning on agent mode. Users should sign out of sensitive accounts, close tabs the task does not need, and avoid agent mode when repositories, admin consoles, password managers, or private dashboards remain open.

Organizations testing AI browsers should take the same approach at scale. Agent mode should have the narrowest access needed for the task, not a standing pass to every account the user has open.

Security teams should set rules for AI browser use, especially around internal apps, repositories, admin tools, customer data, and credentials.

BioShocking is a reminder that AI browser security is not only about what the model says. It is also about what the browser can reach, copy, and send once it starts acting on the user’s behalf.

Related reading: See why a 24 billion-record leak is putting renewed attention on passwords, emails, and login data.

Kezia Jungco

Kezia Jungco is a technology writer and researcher specializing in artificial intelligence, data analytics, CRM software, cloud infrastructure, cybersecurity, and emerging business technologies. With more than five years of experience evaluating software platforms and technology solutions, she helps business leaders understand the tools and trends shaping the future of work. Kezia has extensive hands-on experience testing and analyzing generative AI platforms, chatbots, natural language processing (NLP) tools, CRM systems, and business software. Her work focuses on translating complex technologies into practical insights that help organizations make informed decisions about technology adoption, operational efficiency, and digital transformation. As a staff writer for TechnologyAdvice, Kezia covers AI innovation, business applications of machine learning, data-driven technologies, cloud computing, cybersecurity, and sales technology. Her background in journalism, research, and education enables her to combine rigorous analysis with clear, accessible reporting for both enterprise and consumer audiences. Kezia holds a bachelor's degree in Development Communication with a major in Development Journalism from the University of the Philippines Los Baños. She has also completed professional training in artificial intelligence, data privacy, and information security. Her work has been featured in TechnologyAdvice, TechRepublic, eWeek, Datamation, and Selling Signals, where she helps readers navigate a rapidly evolving technology landscape with practical, research-driven guidance.