Defenders are now using prompt injections, the same technique attackers rely on, to stop AI hacking agents. Researchers from Tracebit said placing these malicious commands alongside passwords and cryptographic keys on Amazon Web Services often sufficed to halt attacks. The prompts direct attacking LLMs to perform actions that violate their guardrails, triggering a shutdown. Examples include orders to develop inhalable Anthrax spores or reference the Tank Man from the 1989 Tiananmen Square massacre. Once the LLM encounters these forbidden commands, it no longer follows its existing instructions. The researchers named this technique 'context bombing,' which triggers a refusal mechanism in the model's context. 'What we’re trying to capture is the fact that this does have a strong, sharp effect and one that can be difficult for the agents to come back from,' said Andy Smith, cofounder and CEO of Tracebit.

Initial testing showed context bombing has significant potential. The team tested Opus 4.8, Gemini 3.1 Pro, GLM 5.2, DeepSeek 4 Pro, and Kimi 2.6 by giving them instructions to perform routine developer tasks, leading the models to stumble upon planted strings. They ran the models inside a simulated AWS environment. Across five leading models and 152 attack runs, planting one of these strings in a decoy secret cut the rate at which agents seized full account admin from 57 percent to 5 percent, and complete compromise from 36 percent to 1 percent. The most capable agent in their tests, Opus 4.8, went from achieving admin access in 93 percent of runs to failing every single time when confronted with a context bomb.

The research builds on earlier findings from May, when Tracebit introduced a method for defenders to receive warnings when their infrastructure is under attack from AI agentic adversaries. These resources, which look like legitimate ones but are not used, allow defenders to detect threats before they cause damage. The Tracebit Canariens, on average, alerted the start of an attack within eight minutes. The motivation for developing context bombing came from the need to stop attacks rather than just warn of them. In experiments, agentic models needed, on average, 14 minutes to escalate to administrative control. The six-minute heads-up was cutting things uncomfortably close.

Source: wired