The Information Machine

Hackers can use 9 of the most popular AI tools to assemble massive botnets

Ars Technica AI · Dan Goodin · 2026-07-08

Ars Technica security reporter Dan Goodin details how nine of the most popular AI tools can be exploited via prompt injection to assemble massive botnets, representing a shift from targeted individual attacks to large-scale internet exploitation.

Open original ↗

Appears in

Extraction

Topics: prompt-injectionai-securitybotnetsllm-vulnerabilities

Claims

  • Prompt injection has become the top threat in AI security because LLMs are architecturally unable to distinguish legitimate user instructions from malicious ones embedded in third-party content.
  • AI developers cannot solve the root cause of prompt injection and instead rely on guardrails that only mitigate damage.
  • Most existing prompt injection attacks are 'push' attacks that must be sent to each individual target, limiting their scale.
  • Nine popular AI tools can be exploited to assemble massive botnets, enabling mass exploitation at internet scale rather than individual targeting.

Key quotes

Large language models are inherently unable to distinguish between legitimate instructions provided by users and malicious ones sneaked into emails, source code, and other third-party content the models are processing.
With no way to enforce this crucial boundary between trusted and untrusted sources, AI engine developers are left to erect elaborate guardrails designed to mitigate the damage rather than solve the root cause.
Because the injection must then be sent (or pushed) to each specific target, the scale of the attack is limited, hampering mass exploits that hit the Internet at large.