This week in "we're in the wild west era" of LLMs.

2025-09-29 · Bits and Bobs 9/29/25

This week in "we're in the wild west era" of LLMs.
- A benign flan recipe injection in a LinkedIn profile went viral.
- Even The Economist is talking about prompt injection and The Lethal Trifecta!
  - They published another piece with a "solution" that is less well-considered.
  - They framed the problem like building a bridge, where the solution is over-engineering.
  - But bridges don't have adversaries deliberately trying to attack them and find their weaknesses.
  - I agree with Simon that structural approaches require cutting off one of the legs of the stool.
- ForcedLeak: AI Agent risks exposed in Salesforce AgentForce
- Notion's response to the prompt injection attack vulnerability is to spam the user with security dialogs.
  - Security dialogs like this are a form of "responsibility laundering."
  - They move the responsibility to the user, who almost certainly is not paying attention or equipped to decide properly.
  - The service washes their hands without actually minimizing harm that much.
- From MCP to Shell How MCP Authentication Flaws Enable RCE in Claude Code, Gemini CLI, and More.
- A malicious MCP server has been stealing your emails
  - This one isn't a prompt injection attack, just a good old supply chain attack.
- A distillation of the top 25 MCP vulnerabilities.
- Meanwhile, Apple is planning to integrate MCP into the OS.
  - What could possibly go wrong?
- Remember: LLM attacks are possible to be automatically constructed for any model.

More on this topic

From other episodes