Trail of Bits has launched Anamorpher, an open source tool exposing how crafted images can exploit AI downscaling to hide malicious prompts and steal data.
Researchers from Trail of Bits have uncovered a novel AI security vulnerability that exploits image downscaling to inject hidden prompts and steal user data. The attack, developed by Kikimora Morozova and Suha Sabi Hussain, builds upon a 2020 TU Braunschweig paper that first theorised image-scaling attacks in machine learning.
The method relies on AI systems automatically downscaling uploaded images for efficiency. Resampling algorithms such as nearest neighbour, bilinear, and bicubic introduce aliasing artifacts, which can reveal hidden patterns or text embedded in specially crafted images. Large language models then interpret these hidden instructions as part of legitimate user input, enabling malicious actions without the user’s knowledge.
In one demonstration, researchers used Gemini CLI to exfiltrate Google Calendar data to an external email address via Zapier MCP’s ‘trust=True’ option, which bypassed user confirmation. Tests confirmed that the vulnerability impacts multiple systems, including Google Gemini CLI, Vertex AI Studio, Gemini’s web interface, Gemini’s API via llm CLI, Google Assistant on Android, and Genspark. The researchers warn that the scope could extend further.
To demonstrate the risk, Trail of Bits has released Anamorpher, an open-source beta tool that generates malicious images designed for different downscaling methods. While the release highlights potential misuse, it provides the security community with a transparent and reproducible way to study the attack and design defences.
The team recommends mitigations such as restricting upload dimensions, previewing downscaled images before processing, requiring explicit confirmation for sensitive tool calls, and adopting secure design patterns against prompt injection.
By open sourcing Anamorpher, Trail of Bits positions the discovery as both a warning and a call for collective defence in AI security.
