Findings
Malware generation vulnerability
Updated: June 19, 2025
Description
The AI model can be manipulated into generating malware or performing malicious actions.
This vulnerability arises when an attacker uses carefully crafted prompts to instruct the model to generate harmful code, exploit vulnerabilities, or guide the execution of malicious tasks.
Example Attack
If exploited, this vulnerability could allow attackers to use the AI model to generate malware, ransomware, or other types of malicious code, which could then be deployed to compromise systems, steal sensitive data, or cause other forms of damage. The potential consequences include data breaches, financial losses, legal liabilities, and reputational damage.
Remediation
Investigate and improve the effectiveness of guardrails and other output security mechanisms to prevent the model from generating malware or assisting in malicious activities. Strengthen content filtering, restrict code generation capabilities, and develop contextual checks that flag requests for harmful actions.
Security Frameworks
Improper Output Handling refers specifically to insufficient validation, sanitization, and handling of the outputs generated by large language models before they are passed downstream to other components and systems. Since LLM-generated content can be controlled by prompt input, this behavior is similar to providing users indirect access to additional functionality.
An LLM-based system are often granted agency to e.g. call functions or interface with other systems via extensions. Agent-based systems will typically make repeated calls to an LLM using output from previous invocations to ground and direct subsequent invocations. Excessive Agency is the vulnerability that enables damaging actions to be performed in response to unexpected, ambiguous or manipulated outputs from an LLM.
Adversaries may abuse their access to a victim system and use its resources or capabilities to further their goals by causing harms external to that system. These harms could affect the organization (e.g. Financial Harm, Reputational Harm), its users (e.g. User Harm), or the general public (e.g. Societal Harm).
Reputational harm involves a degradation of public perception and trust in organizations. Examples of reputation-harming incidents include scandals or false impersonations.
Societal harms might generate harmful outcomes that reach either the general public or specific vulnerable groups such as the exposure of children to vulgar content.
User harms may encompass a variety of harm types including financial and reputational that are directed at or felt by individual victims of the attack rather than at the organization level.
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.