📚 New to this topic? Read our full guide: Generative AI Explained.
Prompts Are the New Malware: Why Enterprise AI Defences Are Falling Behind
Hackers have found a new way to break into AI systems. It is called a “prompt injection attack.” A “prompt” is just the text instruction you type to an AI. In this attack, a hacker hides sneaky instructions inside text the AI reads. The AI then follows those bad instructions and does something harmful.
A new report says these prompts now act like malware. Malware is harmful software that steals your data or money. The report came from CrowdStrike, a big cybersecurity company (a firm that protects computers from hackers). CrowdStrike found that these attacks hit more than 90 companies in 2025. Hackers used them to steal login details and cryptocurrency (digital money like Bitcoin).
That same report, called the 2026 Global Threat Report, found more bad news. Attacks that use AI went up by 89% in just one year. And 82% of break-ins used no virus or harmful code at all. In simple words: hackers often do not need a virus anymore. They just need clever words.
Why this is so hard to stop
There is a famous list of the biggest AI security risks. It is called the OWASP Top 10 for large language model apps. (An LLM, or large language model, is the kind of AI that runs chatbots like ChatGPT.) Prompt injection is number one on that list. Its code name is “LLM01”.
Why is it number one? The reason is simple but tricky. An AI cannot really tell the difference between two things. One is the rules its makers gave it. The other is text it reads from a webpage, email, or document. To the AI, words are just words. So it may follow a hacker’s hidden words too.
Two kinds of attack
Direct prompt injection is the simple kind. A user types instructions that break the AI’s rules. This is the classic “ignore your previous instructions” trick.
Indirect prompt injection is sneakier. The attacker hides instructions inside something the AI will read later for another person. It could be an email, a calendar invite, a webpage, or a file someone uploads. The victim never sees the trap. The attacker never even talks to the AI. The AI just quietly does what the hidden words say.
Real attacks that already happened
Two real cases show how this works. In 2024, security researchers tricked Slack AI into leaking secret data. This included secret API keys (special passwords that let apps talk to each other). They did it by hiding an instruction in a public channel or file.
In 2025, a flaw called EchoLeak was found. Its tracking name is CVE-2025-32711, and it had a very high danger score of 9.3 out of 10. It was the first known “zero-click” attack on a live AI. Zero-click means the user does not have to click anything. Just one cleverly written email could make Microsoft 365 Copilot grab private files and send them to the attacker. The user did nothing at all. Both bugs were later fixed. But the deeper weakness behind them is still there.
Benchmarks: how often the attacks work
Even the best AI companies admit this problem is far from solved. (A benchmark is just a test that measures how good or safe something is.) Here are numbers the companies shared themselves.
| Reported figure | Number | Source |
|---|---|---|
| Organisations hit by prompt injection in 2025 | 90+ | CrowdStrike 2026 Global Threat Report |
| Rise in AI-enabled attacks (year over year) | +89% | CrowdStrike |
| Intrusions with no traditional malware | 82% | CrowdStrike |
| Agent fooled by a single injection attempt | 17.8% | Anthropic (Claude Opus system card) |
| Success over 200 attempts, no safeguards | 78.6% | Anthropic |
| Success over 200 attempts, with defences | 57.1% | Anthropic |
| Best attack still succeeding after fine-tuning | 53.6% | Google (Gemini) |
What it means: even when companies add their best defences, the attacks still work more than half the time in these tests. A 1% failure rate may sound tiny. But an AI agent that runs thousands of times a day can still get tricked dozens of times a month.
Why normal security tools do not help
Old security tools all work the same basic way. Things like input checks, output filters, virus signatures, and patches try to draw a line. On one side are trusted commands. On the other side is untrusted content. But inside an AI, that line does not exist. The commands and the data flow through one single stream of text.
AI makers add their own safety rules, called guardrails. These catch the common tricks. But they miss many harder ones — attacks hidden in code, written in other languages, or hidden inside images. In December 2025, OpenAI said something honest. They admitted prompt injection, much like scams, may never be fully stopped.
Why it matters (especially for India and founders)
Companies all over the world, including in India, are rushing to use AI “agents.” An AI agent is an AI that can act on its own. It can send email, run code, move money, and open files by itself. But every new power you give an agent is a new door a hacker can try to open. As more companies add these helpers, the risk grows fast.
For founders (people who start companies), there is both a warning and a chance. The warning: do not give an AI agent too much access. Set strong limits, and make a human approve any risky action. The chance: AI security is now one of the hottest fields. Big firms are even buying these skills through acquisitions (when one company buys another). And as India puts more services online, from health to payments, keeping AI safe becomes everyone’s job.
FAQ
What is prompt injection in one line?
It is tricking an AI by hiding harmful instructions inside the text it reads, so it does something it should not.
Can I fully protect my AI from it?
Not completely, not today. Experts say you should limit what an AI agent can reach. Ask a human to approve risky actions. And treat all incoming text as if it could be a trap.
The takeaway
AI is changing. It is moving from simple chatbots to agents that act for us. That means words can now be used as a weapon. Prompt injection is the top AI security risk right now, and our defences are behind. The safest plan for any business is simple: give AI less power, watch it closely, and assume every input could be a trap.
Source: Forbes.
