Introduction
Security researchers at LayerX have uncovered a critical vulnerability in AI-powered browsers and assistants they've dubbed "BioShocking." This novel attack technique successfully deceived six different AI browsers and assistants into copying user credentials and transmitting them to attackers by manipulating the AI into believing it was participating in a game.
Affected platforms include widely deployed AI tools such as OpenAI's ChatGPT Atlas, Perplexity's Comet, and Anthropic's Claude browser extension. For organizations that have integrated AI assistants into their workflows, this represents a significant credential exposure risk that demands immediate attention and defensive countermeasures.
Technical Analysis
Affected Products and Platforms
The BioShocking attack methodology impacts multiple AI browser extensions and assistants:
- OpenAI's ChatGPT Atlas
- Perplexity's Comet browser
- Anthropic's Claude browser extension
- Three additional, unnamed AI browsers/assistants
Attack Mechanism
BioShocking exploits the contextual understanding capabilities of AI browsers through a carefully crafted scenario that convinces the AI it is participating in a legitimate game. The attack chain typically follows this pattern:
- Context Manipulation: An attacker presents a webpage or interface containing a "game" element that the AI browser is designed to interact with
- Credential Solicitation: Within the game context, the AI is prompted to "collect" or "use" items that are actually formatted as credential fields
- Exfiltration: The AI processes these credentials as part of the game interaction and transmits them to the attacker-controlled endpoint
The vulnerability stems from the AI's inability to distinguish between game mechanics and actual credential handling when presented within a convincing gaming context. This is not a traditional code vulnerability but rather a logic flaw in how AI assistants interpret and interact with contextual elements.
Exploitation Status
While no CVE has been assigned at this time, LayerX has demonstrated working proof-of-concept exploits against all six affected platforms. The attack requires minimal technical sophistication, and while there's no evidence of active exploitation in the wild, the public disclosure significantly increases the likelihood of attack adoption.
Detection & Response
SIGMA Rules
---
title: Potential BioShocking AI Browser Credential Exfiltration
id: a1b2c3d4-5678-90ef-ghij-klmnopqrstuv
status: experimental
description: Detects AI browsers transmitting credential-like data to external domains following game-like interactions
references:
- https://thehackernews.com/2026/06/new-bioshocking-attack-tricks-ai.html
author: Security Arsenal
date: 2026/06/15
tags:
- attack.credential_access
- attack.t1552.001
- attack.collection
- attack.t1005
logsource:
category: network_connection
product: windows
detection:
selection_ai_browser:
Image|contains:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
selection_game_context:
CommandLine|contains:
- 'game'
- 'play'
- 'level'
selection_credential_keywords:
CommandLine|contains:
- 'password'
- 'login'
- 'credential'
- 'auth'
selection_suspicious_domains:
DestinationHostname|endswith:
- '.xyz'
- '.top'
- '.tk'
condition: all of selection_*
falsepositives:
- Legitimate gaming applications
- Password managers exporting data
level: high
---
title: AI Browser Accessing Credential Stores After Gaming Pattern Detection
id: b2c3d4e5-6789-01fg-hijk-lmnopqrstuvw
status: experimental
description: Detects AI browsers accessing browser credential storage following interactions with game-like webpages
references:
- https://thehackernews.com/2026/06/new-bioshocking-attack-tricks-ai.html
author: Security Arsenal
date: 2026/06/15
tags:
- attack.credential_access
- attack.t1552
logsource:
category: file_access
product: windows
detection:
selection_browser:
Image|contains:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
selection_credential_file:
TargetFilename|contains:
- '\Login Data'
- '\cert9.db'
- '\key4.db'
- '\logins.'
selection_recent_game:
ProcessCreationTime|ago: '5m'
ParentCommandLine|contains:
- 'http'
- 'https'
condition: all of selection_*
falsepositives:
- Legitimate credential manager access
- Browser password import/export features
level: high
---
title: Unusual Clipboard Access Patterns from AI Browsers
id: c3d4e5f6-7890-12gh-ijkl-mnopqrstuvwx
status: experimental
description: Detects AI browsers accessing clipboard data after interactions with potential gaming interfaces
references:
- https://thehackernews.com/2026/06/new-bioshocking-attack-tricks-ai.html
author: Security Arsenal
date: 2026/06/15
tags:
- attack.collection
- attack.t1115
logsource:
category: process_creation
product: windows
detection:
selection_browser:
Image|contains:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
selection_clipboard_access:
CommandLine|contains:
- 'clipboard'
- 'paste'
- 'readText'
selection_timing:
ProcessCreationTime|ago: '10m'
ParentCommandLine|contains:
- 'http'
- 'https'
condition: all of selection_*
falsepositives:
- User copying/pasting content
- Browser password fill features
level: medium
KQL (Microsoft Sentinel / Defender)
// Detect AI browsers transmitting potential credential data to suspicious domains
let TimeWindow = 1h;
let GameRelatedKeywords = dynamic(['game', 'play', 'level', 'score', 'challenge', 'quest']);
let CredentialKeywords = dynamic(['password', 'login', 'credential', 'auth', 'token', 'key']);
let SuspiciousTLDs = dynamic(['.xyz', '.top', '.tk', '.ml', '.cf', '.gq']);
DeviceNetworkEvents
| where Timestamp > ago(TimeWindow)
| where InitiatingProcessFileName in~ ('chrome.exe', 'msedge.exe', 'firefox.exe')
| where RemoteUrl has_any (GameRelatedKeywords) or InitiatingProcessCommandLine has_any (GameRelatedKeywords)
| extend IsSuspiciousTLD = SuspiciousTLDs | exists (RemoteUrl, _)
| where IsSuspiciousTLD == true
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, SentBytes, ReceivedBytes
| order by Timestamp desc
// Monitor for unusual clipboard access patterns from AI browsers
let TimeWindow = 1h;
let AIBrowserProcesses = dynamic(['chrome.exe', 'msedge.exe', 'firefox.exe']);
DeviceProcessEvents
| where Timestamp > ago(TimeWindow)
| where FileName in~ AIBrowserProcesses
| where ProcessCommandLine has 'clipboard' or ProcessCommandLine has 'paste' or ProcessCommandLine has 'readText'
| where InitiatingProcessFileName in~ ('chrome.exe', 'msedge.exe', 'firefox.exe')
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, SHA256
| order by Timestamp desc
// Detect AI browsers accessing credential storage after web navigation
let TimeWindow = 1h;
let CredentialFiles = dynamic(['\\Login Data', '\\cert9.db', '\\key4.db', '\\logins.']);
DeviceFileEvents
| where Timestamp > ago(TimeWindow)
| where InitiatingProcessFileName in~ ('chrome.exe', 'msedge.exe', 'firefox.exe')
| where FileName has_any (CredentialFiles)
| where ActionType =~ 'FileAccessed' or ActionType =~ 'FileRead'
| join kind=inner (DeviceNetworkEvents
| where Timestamp > ago(TimeWindow)
| where InitiatingProcessFileName in~ ('chrome.exe', 'msedge.exe', 'firefox.exe')
| project Timestamp, DeviceId, InitiatingProcessId) on DeviceId, InitiatingProcessId
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, ActionType, SHA256
| order by Timestamp desc
Velociraptor VQL
-- Hunt for AI browsers accessing credential storage files
SELECT F.FullPath, F.Size, F.Mode, F.ModTime, P.Pid, P.Name, P.Username, P.Cmdline
FROM glob(plugins=glob, globs=['C:\\Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Login Data',
'C:\\Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Network\\Cookies',
'C:\\Users\\*\\AppData\\Local\\Microsoft\\Edge\\User Data\\*\\Login Data',
'C:\\Users\\*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\logins.'])
CROSS JOIN pslist(pid=any Pid
WHERE P.Name =~ 'chrome.exe' OR P.Name =~ 'msedge.exe' OR P.Name =~ 'firefox.exe') AS P
WHERE F.FullPath LIKE '%Login Data%' OR F.FullPath LIKE '%logins.%'
-- Monitor for AI browser processes connecting to suspicious domains after game-related navigation
SELECT P.Name, P.Pid, P.Username, P.Cmdline, N.RemoteAddress, N.RemotePort, N.State, F.FullPath
FROM pslist() AS P
JOIN netstat(pid=P.Pid) AS N
JOIN process_open_files(pid=P.Pid) AS F
WHERE P.Name =~ 'chrome.exe' OR P.Name =~ 'msedge.exe' OR P.Name =~ 'firefox.exe'
AND (P.Cmdline =~ 'game' OR P.Cmdline =~ 'play' OR P.Cmdline =~ 'level')
AND (N.RemoteAddress =~ '\.xyz$' OR N.RemoteAddress =~ '\.top$' OR N.RemoteAddress =~ '\.tk$')
Remediation Script (PowerShell)
# BioShocking Attack Mitigation and Hardening Script for AI Browsers
# Version 1.0 - June 2026
#
# This script helps organizations detect and mitigate the BioShocking attack
# that targets AI browsers and assistants.
function Write-Log {
param ([string]$message)
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
Write-Host "[$timestamp] $message"
}
# Check for AI browser installations
function Check-AIBrowsers {
$aiBrowsers = @{
"ChatGPT Atlas" = ${env:LOCALAPPDATA} + "\OpenAI\ChatGPT Atlas"
"Perplexity Comet" = ${env:LOCALAPPDATA} + "\Perplexity\Comet"
"Anthropic Claude" = ${env:LOCALAPPDATA} + "\Anthropic\Claude"
}
Write-Log "Checking for AI browser installations..."
$installedBrowsers = @()
foreach ($browser in $aiBrowsers.GetEnumerator()) {
if (Test-Path $browser.Value) {
$installedBrowsers += $browser.Key
Write-Log "Found: $($browser.Key) at $($browser.Value)"
}
}
return $installedBrowsers
}
# Restrict AI browser access to sensitive sites
function Restrict-AIBrowserAccess {
param ([string[]]$browsers)
if ($browsers.Count -eq 0) {
Write-Log "No AI browsers found to restrict."
return
}
Write-Log "Implementing restrictions for AI browsers..."
# Create firewall rules for each AI browser
foreach ($browser in $browsers) {
$ruleName = "Block AI Browser - $browser - BioShocking Mitigation"
# Check if rule already exists
$existingRule = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue
if (-not $existingRule) {
try {
# Block outbound connections to suspicious TLDs
New-NetFirewallRule -DisplayName $ruleName `
-Direction Outbound `
-Action Block `
-Enabled True `
-Profile Any `
-RemoteAddress "10.0.0.0-10.255.255.255" `
-Description "BioShocking attack mitigation for $browser" | Out-Null
Write-Log "Created firewall rule: $ruleName"
} catch {
Write-Log "Failed to create firewall rule for $browser : $_"
}
} else {
Write-Log "Firewall rule already exists: $ruleName"
}
}
}
# Configure browser extensions and permissions
function Configure-BrowserExtensions {
param ([string[]]$browsers)
Write-Log "Reviewing browser extensions and permissions..."
# This is a template for extension review
# In a production environment, implement specific checks for each AI browser
foreach ($browser in $browsers) {
Write-Log "Reviewing extensions for $browser"
# In a real implementation, you would enumerate extensions and check permissions
Write-Log "Recommendation: Disable any AI browser extensions with clipboard or credential access"
}
}
# Generate report
function Generate-Report {
param ([string[]]$installedBrowsers)
$reportPath = "$env:USERPROFILE\Desktop\BioShocking-Assessment-$(Get-Date -Format 'yyyyMMdd').txt"
$report = @"
BioShocking Attack Assessment Report
Generated: $(Get-Date -Format "yyyy-MM-dd HH:mm:ss")
AI Browsers Found:
$(if ($installedBrowsers.Count -eq 0) { "None" } else { $installedBrowsers -join "`n" })
RECOMMENDATIONS:
- Review and restrict permissions for AI browser extensions
- Implement browser isolation techniques for AI assistants
- Disable credential auto-fill features when using AI browsers
- Monitor for unusual network activity from AI browsers
- Consider implementing separate browser profiles for AI assistant usage
- Educate users about the risks of sharing credentials with AI assistants
FOR MORE INFORMATION:
-
LayerX Security Advisory on BioShocking
-
Vendor security advisories for specific AI browsers "@
$report | Out-File -FilePath $reportPath -Encoding UTF8
Write-Log "Report saved to: $reportPath"
}
Main execution
$installedBrowsers = Check-AIBrowsers Restrict-AIBrowserAccess -browsers $installedBrowsers Configure-BrowserExtensions -browsers $installedBrowsers Generate-Report -installedBrowsers $installedBrowsers
Write-Log "BioShocking mitigation assessment complete."
Remediation
Immediate Actions
-
Update AI Browser Extensions: Ensure all AI browser extensions (ChatGPT Atlas, Perplexity Comet, Claude) are updated to the latest versions. Vendors are expected to release patches addressing the BioShocking technique soon.
-
Disable AI Browsers in Sensitive Contexts: Temporarily disable AI browser extensions when accessing:
- Banking and financial portals
- Healthcare information systems
- Administrative consoles
- Sensitive corporate applications
-
Implement Browser Isolation: Deploy browser isolation solutions for AI browsers to prevent credential exfiltration. Consider using:
- Cloud-based browser isolation services
- Containerized browser environments (e.g., Sandboxie, Windows Sandbox)
- Dedicated virtual machines for AI assistant interactions
Configuration Changes
-
Disable Credential Auto-Fill for AI Browsers:
- Chrome/Edge: Disable password saving and auto-fill for sites where AI extensions are active
- Firefox: Configure
signon.autofillFormstofalsein about:config
-
Restrict Clipboard Access:
- Implement browser policies to limit clipboard access for AI extensions
- Consider using clipboard monitoring tools to detect unauthorized access
Vendor-Specific Guidance
As of the publication of this advisory, the following vendor guidance is available:
- OpenAI: Monitor the OpenAI Security Advisories for updates on ChatGPT Atlas
- Perplexity: Check the Perplexity Security Center for Comet updates
- Anthropic: Refer to Anthropic's Security Bulletins for Claude extension updates
Long-Term Strategies
-
Develop AI Browser Usage Policies: Create organizational policies governing the use of AI browsers with sensitive data
-
Implement Micro-Segmentation: Network segmentation to isolate AI browser traffic from critical systems
-
Deploy DLP Solutions: Implement Data Loss Prevention solutions that can detect and block credential exfiltration from AI browsers
-
User Awareness Training: Educate users about the risks of sharing credentials with AI assistants and the tactics used in BioShocking attacks
Verification
After implementing these remediations, verify your defense posture by:
- Testing the detection rules provided in this advisory
- Conducting internal red team exercises to validate the effectiveness of your controls
- Reviewing browser extension logs for unusual activity patterns
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.