AI Agents Under Attack: Zenity Exposes Major Prompt Injection Risks

AI Agents Are Becoming the New Playground for Hackers And That’s a Problem

Artificial Intelligence is changing how businesses work but it’s also opening new doors for cybercriminals.

In a fresh report, security research firm Zenity has sounded the alarm: AI agents like ChatGPT, Microsoft Copilot, Google Gemini, Salesforce Einstein, and Cursor can be tricked into leaking sensitive information through something called prompt injection attacks.

These aren’t just theoretical ideas floating in a lab. Zenity demonstrated real, working exploits at the Black Hat USA Security Conference, using a chain of zero click and one click attacks they’ve named AgentFlayer.

What’s a Prompt Injection Attack?

Think of it like this: you give your AI assistant a task, but inside that task hidden away is a secret instruction written by someone else.

When the AI processes it, it unknowingly follows those hidden instructions. This can lead to anything from searching your private files to sending sensitive data to an attacker.

Businesses Should Pay Attention to These Examples

Zenity’s research exposed how these attacks could work in real life:

• ChatGPT Data Theft: Upload a document to ChatGPT for summarizing, but inside the document is a hidden prompt telling the AI to search your connected Google Drive for API keys and send them to a malicious server.

• Microsoft Copilot Studio Exploit: Attackers could send special emails to an AI powered customer service agent that trigger it to share private CRM data or internal configuration details.

• Cursor Coding Assistant Hijack: By exploiting Jira integration, attackers could sneak prompts into tickets that force the AI to leak repository secrets like access tokens and API keys.

Everyone Using AI Tools Should Care

As Zenity’s CTO, Michael Bargury, explained:

These aren’t just hypotheticals we’ve shown how attackers can silently hijack AI agents to exfiltrate sensitive data, impersonate users, and manipulate workflows. They can compromise your agent instead of targeting you, with the same dangerous results.

Have Companies Fixed It?

Microsoft and OpenAI have released remedies for the particular flaws that Zenity pointed out.
But here’s the hard truth: completely stopping prompt injection is nearly impossible. Why? Because natural language can hide instructions in endless ways, making them tricky to detect with simple filters or blacklists.

Protect Your AI Agents Right Now

If your business relies on AI tools, security experts recommend:

• Adding extra layers of authentication before allowing AI to access sensitive data.

• Closely monitoring logs and activity of AI agents.

• Filtering and sanitizing all inputs including documents, messages, and code before they reach your AI tools.

• Training staff to be aware that AI can be hacked too not just humans.