Anamorpher: Downscaling Prompt Injection

In this demo, I will demonstrate how one can craft a seemingly-benign adversarial image which can lead to data exfiltration on Gemini CLI and other production AI systems. This adversarial image appears normal at high resolution, but reveals hidden, malicious text at low resolution when resized with a specific image downscaling algorithm (bicubic and bilinear downsampling). This means that production AI systems which apply this downsampling method behind the scenes without showing the result to the user are vulnerable to a hidden multi-modal prompt injection. In this demo, I’ll start by crafting the adversarial image in Anamorpher, a tool built by myself and my coworker Suha Hussain at Trail of Bits. I will walk attendees through the parts of Anamorpher that handle embedding text in adversarial images using a least-squares optimization method. Then, I’ll submit this image to Gemini CLI, which will ingest it and act upon the hidden instructions, causing data exfiltration through a Zapier MCP server. Afterward, I will zoom into the image to visually highlight the pixel-level perturbations that led to this effect and discuss protective considerations.