Security researchers at LayerX have discovered a new prompt injection technique that tricks AI browsers into revealing saved passwords and login credentials by leading them to believe they are playing a game.
The attack is called BioShocking, named after the 2007 video game BioShock. The game follows a brainwashed character who follows commands after hearing the phrase "Would you kindly?" That is pretty much what's going on here. Essentially, the AI agent believes whatever information it is given, and changing the information changes what it will do.
The attack starts on a malicious webpage designed as a puzzle called Rapture Games, themed after BioShock's underwater world. The puzzle rewards wrong answers, training the agent to accept that 2+2=5 and that incorrect actions are the winning move. Once the agent learns this, its safety protections stop working. The last step of the puzzle tells the agent to navigate to a GitHub repository and copy the login details stored there.

ChatGPT Atlas, Perplexity's Comet, Fellou, Genspark Browser, Sigma Browser, and Anthropic's Claude Chrome extension all copied real credentials and passed them to the attacker. LayerX used a controlled test environment with a plaintext file, but the same technique could point an agent at any resource it can reach in that session, including open tabs, signed-in accounts, and internal company tools.
LayerX notified all six vendors between October 2025 and January 2026. OpenAI is the only vendor to have implemented a working fix in ChatGPT Atlas. Anthropic attempted a patch for its Claude extension, but LayerX says it did not hold. Perplexity closed the report without acting on it, while Fellou, Genspark, and Sigma did not respond.

Frequently Asked Questions
TweakBot answers common questions about this news using TweakTown's own coverage from this page and related content from our archive. Tap a question to reveal the answer, or type your own below.
Which AI browsers and extensions were shown to be vulnerable to the BioShocking prompt injection in LayerX's tests?
What specific sequence of actions in the Rapture Games puzzle allows the agent's safety protections to be bypassed?
How did LayerX validate that credentials were exfiltrated during their controlled tests?
What mitigation did OpenAI implement in ChatGPT Atlas that LayerX considered a working fix?
Have a question not listed here? Ask below and TweakBot will answer it.
LayerX recommends that AI browsers prompt users before reading from signed-in accounts. Something as simple as "I am about to copy data from your GitHub repository, continue?" would break the chain entirely. Until that becomes standard, agent mode is effectively another account with reach into everything you are signed in to.




