AgentHopper Alert: How a Single Web Sentence Can Hijack Your AI Assistant
At the recent Chaos Communication Congress in Germany, a new warning was issued about the risks associated with AI agents. According to information security specialist Johann Rehberger, a computer running systems such as Claude Code, GitHub Copilot, Google Jules, or similar tools becomes instantly vulnerable to attacks that require no user interaction whatsoever. A single line embedded in a web page or document can be enough to feed malicious instructions to an agent.
As demonstrated during the presentation, AI assistants are particularly susceptible to attacks that inject commands into otherwise ordinary text prompts. One example involved a website containing a single sentence requesting a file download. Claude, using its computer interaction tools, not only downloaded the file but automatically marked it as executable, launched a terminal, and connected the device to a botnet. None of these actions required a single keystroke from the user.
Rehberger emphasized that while machine learning models possess remarkable capabilities, they are profoundly fragile in the presence of a determined adversary. He noted that major vendors such as Anthropic cannot simply “patch” these weaknesses away, as they are inherent to the agents’ architectural design. Systems that employ AI tools—especially those granting agents control over the operating system—should be treated as already compromised by default.
During the talk, a wide range of attack scenarios was demonstrated in which agents executed malicious instructions. One such case involved infection through fragmented commands distributed across multiple websites. In this scenario, the AI assistant Devin received partial instructions from two separate sources, then proceeded to deploy a web server, expose user files, and transmit an access link to the attacker.
Rehberger also demonstrated a technique for injecting invisible text using a tool called ASCII Smuggler. These characters are imperceptible in most text editors, yet AI agents interpret them as executable instructions. As a result, Google Jules and Antigravity followed the hidden commands, downloaded malware, and opened remote access to the system.
According to Rehberger, the new Gemini 2.0 model is particularly adept at recognizing hidden characters, a trait that affects all applications built on top of it. Even local agents such as Anthropic Cloud Code or Amazon Developer tools can execute system-level commands, enabling attackers to bypass defenses and access sensitive data.
He also introduced the concept of an AI virus dubbed AgentHopper. Rather than spreading through conventional code, it propagates through interactions between AI agents themselves. A malicious prompt is embedded into a repository, after which agents replicate it into other projects and pass it along. The same prompt can dynamically adapt to different AI assistants by leveraging conditional logic.
Rehberger noted that he used Gemini to build this virus model, underscoring how dramatically modern AI tools have lowered the barrier to creating sophisticated malware.
In closing, he advised never to trust the outputs of language models and to strictly minimize agents’ access to system resources. He described containerization—such as using Docker—and a complete ban on automatic command execution as ideal safeguards.
According to Rehberger, AI tool providers openly acknowledge that they cannot guarantee the security of their products. The unavoidable conclusion, therefore, is that systems must always be designed and operated under the assumption that compromise is possible.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
