Hackers can use 9 of the most popular AI tools to assemble massive botnets
Ars Technica AI · Dan Goodin · 2026-07-08
Ars Technica security reporter Dan Goodin details how nine of the most popular AI tools can be exploited via prompt injection to assemble massive botnets, representing a shift from targeted individual attacks to large-scale internet exploitation.
Appears in
Extraction
Topics: prompt-injectionai-securitybotnetsllm-vulnerabilities
Claims
- Prompt injection has become the top threat in AI security because LLMs are architecturally unable to distinguish legitimate user instructions from malicious ones embedded in third-party content.
- AI developers cannot solve the root cause of prompt injection and instead rely on guardrails that only mitigate damage.
- Most existing prompt injection attacks are 'push' attacks that must be sent to each individual target, limiting their scale.
- Nine popular AI tools can be exploited to assemble massive botnets, enabling mass exploitation at internet scale rather than individual targeting.
Key quotes
Large language models are inherently unable to distinguish between legitimate instructions provided by users and malicious ones sneaked into emails, source code, and other third-party content the models are processing.
With no way to enforce this crucial boundary between trusted and untrusted sources, AI engine developers are left to erect elaborate guardrails designed to mitigate the damage rather than solve the root cause.
Because the injection must then be sent (or pushed) to each specific target, the scale of the attack is limited, hampering mass exploits that hit the Internet at large.