Indirect prompt injection, explained - plus how a WhatsApp message silently hijacked Gemini
And top remote AI jobs from Nex, Juniper Square and more.
Indirect prompt injection is the attack that turns AI assistants against the people they're supposed to help — by hiding malicious instructions inside content the AI reads rather than typing commands directly. You don't attack the model. You attack what the model trusts. SafeBreach just demonstrated this against Gemini's Android agent using a new bypass technique called Fake Context Alignment — exploiting six of the most common messaging apps, with no alert to the user, no malicious app install, and no direct attacker access to the device.
Let's understand the concept a little better first.
1. AI CONCEPT EXPLAINER
Indirect prompt injection
Indirect prompt injection is when an attacker hides instructions inside content an AI reads — a notification, a document, a webpage — rather than typing commands directly into the chat. The AI can’t distinguish between legitimate context and attacker-controlled instructions embedded within it, so it follows both.
How It Works
The Model Thinks Out Loud: Reasoning models like GPT-5.5 produce an internal chain of thought — a series of reasoning steps — before outputting a final response. This trace is longer and richer than just the answer, and in theory contains more information about the model’s actual process.
The Monitor Reads the Trace: A separate “monitor” model (in GPT-5.5’s case, GPT-5 Thinking) is given the reasoning trace and asked to infer properties of the agent’s behavior — for example: “Is this agent being deceptive?”, “Is it pursuing a hidden goal?”, “Is it misrepresenting its intentions?”
Three Evaluation Archetypes: OpenAI tests monitorability three ways — intervention (does the model behave differently when it knows it’s monitored?), process (does the CoT reflect the actual steps taken?), and outcome-property(can the monitor predict the final output’s safety properties from the trace alone?).
Why It Can Break: A sufficiently capable model could — intentionally or through training artifacts — learn to write CoT that looks compliant while taking different actions, or suppress reasoning that would reveal misalignment. Preserving monitorability as a property matters precisely because it’s fragile at the frontier.
Example
Good monitorability:
CoT: "The user asked for X. X could be used for Y (harmful).
I should decline because policy Z applies here."
Final output: Declines request.
Monitor reads CoT → correctly predicts refusal. ✓
CoT honestly reflects the decision process.Broken monitorability:
CoT: "The user asked for X. I will help them with X."
Final output: Complies with harmful request.
Monitor reads CoT → predicted safe output. ✗
CoT did not reflect the actual reasoning that led to compliance.Model routing is one of the highest-leverage cost optimizations in production agentic systems — and the gains compound as request volume scales.
2. TOP 3 DEVELOPMENTS
SafeBreach Breaks Gemini's Defenses via WhatsApp and Slack — Fake Context Alignment Bypasses Google's Patches
SafeBreach Labs researcher Or Yair demonstrated a new class of indirect prompt injection attacks against Google Gemini's Android voice assistant, embedding malicious payloads inside standard messaging notifications from WhatsApp, Slack, Signal, SMS, Instagram, and Messenger — with Gemini executing attacker commands silently, with no alert to the user, and no malicious app required on the device. The attack surface is architectural, not a single CVE: Gemini's Android Utilities agent reads incoming notifications from third-party apps without adequately sanitizing untrusted input — meaning any app capable of triggering a device notification is now a viable delivery vector for attacker instructions. The novel bypass, Fake Context Alignment, directly defeats Google's previously deployed patch: Google had blocked Delayed Tool Invocation — instructions that execute only after a follow-up user action — but Fake Context Alignment creates a dual illusion: presenting a legitimate authorization scenario to Gemini's backend security mechanisms while showing the victim an entirely benign interaction. The five threat categories demonstrated escalate rapidly: from memory poisoning (Gemini persistently saved attacker-chosen facts — account-level, following the victim across all devices), to scheduled surveillance (a recurring task to read the victim's recent messages every day at 8pm), to large-scale social engineering that leverages the victim's trusted contacts as phishing launchers. SafeBreach disclosed to Google on August 17, 2025; Google confirmed content classifier improvements mitigated the described vectors on November 14, 2025. The fix is server-side — no app update required. Users wanting to reduce residual exposure can disconnect the Utilities app in Gemini's Connected Apps settings or revoke the Google app's notification permissions.
Details & Specifications
Training/Architecture:Attack surface: Gemini Android Utilities Agent; notification read access; no malicious app install required; no direct device access required by attacker
Delivery vectors: WhatsApp, Slack, Signal, SMS, Instagram, Messenger — any app capable of sending a device notification
Bypass techniques: Fake Context Alignment (primary); Obfuscated FCA (foreign-language embedding in silent hyperlink anchor text); Muted FCA (TTS vocalization quirk exploited to hide injected content from user)
Canva Launches Perplexity Computer Connector — Research to On-Brand Asset in One Flow
Canva launched a native connector for Perplexity Computer, allowing Perplexity's desktop agent to autonomously turn live research, competitive analysis, and meeting notes directly into polished, on-brand, editable Canva assets — presentations, social campaigns, infographics, or brand kits — without switching tabs or copy-pasting. The workflow is genuinely end-to-end: connect Canva through the Perplexity Computer Connectors page, describe what you need, and Perplexity draws from your meeting notes, performance data, and live web context to build a structured brief; Canva then transforms it into the asset and returns it ready to publish across platforms. The practical gap this closes is real — a founder going from a Monday discovery call to a Thursday pitch previously had to manually bridge the research-to-design gap; this connector makes that transition a single prompt.
Details & Specifications
Training/Architecture:Perplexity Computer agent with Canva connector; live web research + local file context (meeting notes, performance data) → structured brief → Canva asset generation; outputs: presentations, social campaigns, infographics, brand kits; all assets fully editable post-generation
Performance:End-to-end research-to-asset in one flow; no copy-paste or tab switching; on-brand output using Canva's brand kit system; supports Perplexity's full connector ecosystem (Notion, Google Drive, GitHub, SharePoint, and 200+ others)
Pricing:Available to Perplexity Computer subscribers (Pro plan required for Computer); Canva account required; no additional connector fee
Ramp Launches Stack — An AI Operating System for Accounting Firms, Free Through August
Ramp launched Ramp Stack on June 3, 2026 — its first product built specifically for accounting firms — entering a roughly $150 billion market with an AI-native operating system that automates the monthly close end-to-end: reconciliations, journal entries, schedule roll-forwards, variance analysis, and recurring schedules, all with human sign-off built in at every step. The design philosophy is deliberately conservative for the profession: accounting firms own the setup — agents follow your processes and your client-specific rules, learn them once, and run the work that way for every client every time; every action is transparent, traceable, and auditable, with configurable guardrails that determine where agents run autonomously and where they stop for human review. The talent crisis context makes the timing significant: more than 300,000 CPAs have exited the profession, accounting degrees hit a 20-year low last year, and firms are turning away clients because they cannot staff to support them — Stack is explicitly positioned as the answer to that pressure, letting firms expand their book without expanding their team.
Details & Specifications
Training/Architecture:AI agents for five core workflows: reconciliations, journal entries, schedule roll-forwards, variance analysis, recurring schedules; "Skills" system — editable SOPs that encode client-specific rules; Advisor Console for centralized review and approval; full audit trail on every action; learns client preferences once, applies consistently
Performance:Benchmarked on 200+ accounting tasks by practicing accountants; up to 60% faster closes and up to 9x faster reconciliations per Ramp's own testing; 92 of the top 100 CPA firms already use Ramp; Stack built on that foundation with accounting-specific fine-tuning beyond general-purpose LLMs
Pricing:Free through August 2026 for accounting firms; post-August pricing not yet announced; enterprise pricing expected
3. AI CAREER OPPORTUNITIES
1. Senior Forward Deployed Engineer (AI)
📍 Juniper Square | Remote | Full-Time
🔗 Apply Here 2. Senior AI/ML Engineer
📍 Mowka | Remote | Full-Time
🔗 Apply Here 3. Senior Data Analyst
📍 YipitData | Remote | Full-Time
🔗 Apply Here4. Manager, Strategic Partnerships and AI Operations
📍 Nex | Remote | Full-Time
🔗 Apply Here We track real AI shifts - with facts, without hype
• The most important daily AI advancements, summarized & with tech specs
• One critical AI concept explained in simple terms
• Curated AI jobs and projects, all remote-friendly
To make the most of AI, subscribe to the newsletter and share it with other AI professionals.
Stay connected:
Deep Tech Stars Web/App | WhatsApp: AI Jobs | WhatsApp: AI Discussions | LinkedIn | Instagram