RESEARCHERS have published a PoC showing how custom fonts, combined with CSS, can obscure malicious commands from AI assistants while the visible page appears harmless. The technique uses a font-rendering trick to present a different text to users than what AI models see in the underlying HTML, potentially allowing humans to act on instructions the AI cannot read.
The authors note that the example would cause an AI to discard part of the text as noise, while a human visitor sees a command such as to open a terminal and run bash with a remote connection, which could lead to infection depending on the IP address and port.
The researchers disclosed their findings to major AI platform providers under Responsible Disclosure; according to Malwarebytes, most providers rejected the report, with Microsoft and Google accepting it, though Google ultimately de-escalated and closed the report. To stay safe, they recommend copying the exact command you plan to run, avoiding reliance on an AI’s interpretation, and using tools like Malwarebytes Browser Guard or a real-time anti-malware solution with web protection.