TL;DR: A new attack chain against Claude combined an open redirect, hidden prompt injection, and API-based exfiltration to target prior chat content and connected MCP tools, according to Swarmnetics. The incident shows why AI assistant governance cannot rely on user-visible links, static trust assumptions, or human-paced review cycles.
At a glance
What this is: This is an analysis of a Claude-targeting attack chain that hid malicious instructions inside a redirect-based URL and used API-driven exfiltration.
Why it matters: It matters because security teams now have to govern AI assistants, chat histories, and tool connections as identity-bearing systems with attack surfaces that do not map cleanly to human-only IAM controls.
👉 Read Swarmnetics's analysis of the Claude invisible prompt attack chain
Context
AI assistant identity risk emerges when a system can be manipulated through the way it receives instructions, not just through the account that launches it. In this case, the concern is not only prompt injection but also the trust placed in links, browser rendering, and downstream tool access that may expose prior conversations or connected systems.
For identity teams, the important point is that autonomous or semi-autonomous assistant behaviour collapses the usual boundary between user input, tool invocation, and data exfiltration. That makes AI assistant governance a shared problem for IAM, NHI, PAM, and application security, especially where chat history or MCP-connected tools can be reached from a single malicious interaction.
Key questions
Q: How should security teams govern AI assistants that can access audit data?
A: Treat them as privileged non-human identities with defined scope, logging, and approval boundaries. Access should be limited to the smallest useful data set, and any output that can influence operations should require human authorization before execution. That approach reduces the chance that an AI assistant becomes an unreviewed control point inside security operations.
Q: What breaks when hidden prompt instructions bypass user-visible review?
A: Human review breaks down because the malicious instruction is no longer visible at the moment the user decides whether to trust the content. If the payload survives a redirect or is hidden in machine-readable text, the assistant may already have acted before anyone can inspect the prompt. That makes visibility controls insufficient on their own.
Q: How do organisations know if AI assistant delegation is too broad?
A: Look for assistants that can retrieve large context windows, access multiple tools, or send outputs to external APIs without task-specific justification. If the model can both decide and execute with little constraint, the delegation is broader than the business need. The safest test is whether each tool call can be explained as one bounded task.
Q: Who is accountable when an AI assistant overshares sensitive content?
A: Accountability sits with the team that owns the policy, the attribute feeds, and the enforcement points, because ABAC only works when all three are managed together. If any one of them is missing, the organisation has not built a defensible control path, even if the model itself appears constrained.
Technical breakdown
How invisible prompt attacks bypass user perception
An invisible prompt attack hides instructions inside a URL or redirected page so the user sees a benign-looking result while the model receives malicious context. The user’s visual trust check fails because the attack lives in the machine-readable layer, not the rendered page. Open redirects make that worse by laundering the origin, while prompt injection turns the assistant’s own parsing behaviour into the attack path. This is especially dangerous when chat history is in scope, because the model can be induced to summarise or expose prior content without any direct credential theft.
Practical implication: Treat URL provenance, redirect behaviour, and prompt-bearing content as part of the AI attack surface, not just the browser problem.
Why API-mediated exfiltration changes the risk model
The exfiltration step matters because the attacker does not need to read the data directly in the session. Instead, the assistant is induced to package the stolen material and send it to an external API controlled by the attacker, which turns the model into a relay. Once that pattern exists, the real question is not whether the model can be convinced to answer, but whether it can be prevented from moving sensitive content across trust boundaries. That is a governance issue, not only a content-filtering issue.
Practical implication: Restrict outbound API paths and monitor for model-driven data transfer, especially where assistant responses can be repurposed outside the primary session.
What MCP-connected tools add to the exposure
MCP integrations expand the blast radius because the assistant may have access to files, messages, or operational systems beyond chat history. The key architectural problem is delegation: once the assistant can call tools, hidden instructions can steer it toward actions that look normal at the interface level but are abnormal at the governance level. That creates a control gap between authorisation at setup time and action selection at runtime. If those tool permissions are broad, the assistant can become a conduit into adjacent identity and data domains.
Practical implication: Inventory MCP-connected tools and limit the assistant to narrowly scoped, task-specific access with explicit monitoring on every delegated action.
Threat narrative
Attacker objective: The attacker wants to pull sensitive information from prior assistant conversations or connected tools and move it out through a channel they control.
- Entry occurs when the victim clicks a tainted search result or URL that appears legitimate because the malicious payload is hidden behind a redirect and invisible prompt content.
- Escalation happens when the assistant processes the hidden instructions, probes prior chat history, and can reach connected tools or MCP integrations that extend the available data set.
- Impact follows when the model relays sensitive information through an attacker-controlled API path, turning assistant output into exfiltrated content and widening exposure beyond the original session.
Breaches seen in the wild
- MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Invisible prompt injection is a trust-boundary failure, not a UI trick. The attack works because the security model still assumes a person can validate the safety of what they see before the assistant acts. That assumption fails when the malicious instruction is present only in machine-readable form and survives a redirect chain. The implication is that assistant governance has to treat rendered content, hidden content, and model input as separate controls, not one browser event.
AI assistants should be governed as non-human identities when they can move data across trust boundaries. In this attack pattern, the assistant is not just answering a question, it is processing, summarising, and relaying information with external side effects. That places the activity squarely in NHI governance, including least privilege, outbound restrictions, and lifecycle control over tool access. Practitioners should stop treating assistant accounts as harmless wrappers around human intent.
Prompt visibility was designed for human review, and that premise breaks under hidden instructions. The attack demonstrates a specific assumption collapse: human-paced validation was supposed to catch malicious intent before execution. That assumption fails when the instruction is invisible until after the click, and the assistant has already acted by the time the user can inspect it. The implication is that review-based controls cannot be the primary safeguard for assistant-mediated actions.
Runtime delegation gap: tool access granted at setup time is not the same as safe action selection at runtime. The article shows that pre-authorised access to chat history, files, or MCP tools can become dangerous when the model independently decides what to retrieve and where to send it. Practitioners should recognise this as a delegation problem, not just a prompt-safety problem.
Agentic-style abuse can emerge even when the system is not fully autonomous. The article does not require a fully autonomous agent to create material risk. It only requires a system that can interpret instructions, select tool calls, and move data without a human approval gate in the moment. That should push identity teams to evaluate AI assistants with the same discipline they apply to high-risk NHI pathways and privileged workflows.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
- That gap matters because AI assistants and connected tools can expose secrets faster than governance processes can review them, so teams should also study The 52 NHI breaches Report.
What this signals
Runtime delegation gap: the more an AI assistant can select tools and move data on its own, the less value a human-centric review cadence provides. Security teams should shift toward event-based controls that inspect assistant actions, not just the prompts that triggered them, because hidden instructions can bypass the ordinary review model. For a broader threat lens, map those pathways against the MITRE ATT&CK Enterprise Matrix.
The operational signal is simple: if a model can access chat history, files, or MCP tools, it has become part of the identity plane and must be governed that way. Programmes that still treat assistant access as application configuration will miss the delegation risk until data leaves the boundary. The control objective is not just prompt safety, it is containment of tool-enabled behaviour across the full session.
Teams that are formalising assistant governance should align to the same discipline used for other delegated access paths. The relevant questions are ownership, scope, monitoring, and offboarding, especially where a tool or API key can outlive the user interaction that exposed it.
For practitioners
- Separate rendered content from instruction-bearing content Block or strip hidden prompt content, validate redirects, and inspect URLs before they reach the model. Treat any content that can alter assistant behaviour as untrusted input, even if the user interface makes it look benign.
- Constrain assistant tool and API reach Limit chat-history access, file access, and MCP tool permissions to the smallest viable scope. Remove broad outbound API paths so the assistant cannot be repurposed as an exfiltration relay.
- Monitor for model-driven data movement Log tool calls, content extraction, and outbound summarisation events as identity activity. Alert when the assistant requests unusually broad context, especially if the resulting output is formatted for external delivery.
- Reclassify AI assistants in identity governance reviews Add assistants that can access sensitive chat history or connected tools to NHI and PAM review cycles. Do not leave them in application inventory only, because the relevant risk is delegated access, not software presence.
Key takeaways
- Invisible prompt attacks work because they exploit machine-readable trust boundaries, not user awareness alone.
- AI assistants with chat history or MCP tool access must be governed as delegated identities, or they can become exfiltration paths.
- Human review is too slow for hidden-instruction attacks, so containment and scoped delegation need to do more of the security work.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10, OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | The article centres on prompt injection and tool misuse in AI assistants. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | Assistant accounts and API keys are non-human identities with delegated access. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0010 , Exfiltration | The chain targets sensitive content and moves it out through an external API. |
| NIST CSF 2.0 | PR.AC-4 | The attack exploits overly broad delegated access to chat and tools. |
| NIST Zero Trust (SP 800-207) | 6.1 | Zero trust principles fit AI assistants that cross trust boundaries at runtime. |
Treat model tool calls as continuous authorisation events rather than trusted session state.
Key terms
- Invisible Prompt Injection: A prompt injection technique that hides malicious instructions from the user while leaving them available to the model in machine-readable form. It relies on presentation gaps, redirects, or formatting tricks so the assistant acts on content the human reviewer cannot reliably see in time.
- Assistant Delegation Surface: The set of chat history, files, tools, APIs, and connected systems an AI assistant can access or invoke during a session. For autonomous or semi-autonomous behaviour, this surface is where identity governance becomes critical because hidden instructions can steer permitted actions across boundaries.
- Metadata Trust Boundary: A metadata trust boundary is the line between tool content that can be safely consumed and tool content that must be validated before use. For agentic systems, descriptions, examples, and schemas are security-relevant inputs because they can influence decisions and trigger actions with real-world impact.
What's in the full analysis
Swarmnetics's full analysis covers the operational detail this post intentionally leaves for the source:
- The exact attack chain logic behind the invisible prompt and redirect combination.
- The patched exfiltration mechanism and what still remains exploitable in similar services.
- The implications of this pattern for Claude-style chat history exposure and MCP-connected tools.
- The source discussion of how the attack could be adapted to other AI assistants with comparable trust assumptions.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org