Ultimategamerbase
Technology

IBM's AI 'Bob' could be manipulated to download and execute malware

January 09, 2026 5 min read views
IBM's AI 'Bob' could be manipulated to download and execute malware
  1. Pro
  2. Security
IBM's AI 'Bob' could be manipulated to download and execute malware News By Sead Fadilpašić published 9 January 2026

Bob is also susceptible to indirect prompt injection

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

A hand reaching out to touch a futuristic rendering of an AI processor. (Image credit: Shutterstock / NicoElNino) Share Share by:
  • Copy link
  • Facebook
  • X
  • Whatsapp
  • Reddit
  • Pinterest
  • Flipboard
  • Threads
Share this article 0 Join the conversation Follow us Add us as a preferred source on Google
  • IBM’s GenAI tool “Bob” is vulnerable to indirect prompt injection attacks in beta testing
  • CLI faces prompt injection risks; IDE exposed to AI-specific data exfiltration vectors
  • Exploitation requires “always allow” permissions, enabling arbitrary shell scripts and malware deployment

IBM’s Generative Artificial Intelligence (GenAI) tool, Bob, is susceptible to the same dangerous attack vector as most other similar tools - indirect prompt injection.

Indirect prompt injection is when the AI tool is allowed to read the contents found in other apps, such as email, or calendar.

A malicious actor can then send a seemingly benign email, or calendar entry, which has a hidden prompt that instructs the tool to do nefarious things, such as exfiltrate data, download and run malware, or establish persistence.

You may like
  • ChatGPT logo This 'ZombieAgent' zero click vulnerability allows for silent account takeover - here's what we know
  • ChatGPT Researchers claim ChatGPT has a whole host of worrying security flaws - here's what they found
  • A representational concept of a social media network Second-order prompt injection can turn AI into a malicious insider

Risky permissions

Recently, security researchers Prompt Armor published a new report, stating that IBM’s coding agent, which is currently in beta, can be accessed either through CLI (a terminal-based coding agent), or IDE (an AI-powered editor). CLI is vulnerable to prompt injection, while IDE is vulnerable to “known AI-specific data exfiltration vectors”.

“We have opted to disclose this work publicly to ensure users are informed of the acute risks of using the system prior to its full release,” they said. “We hope that further protections will be in place to remediate these risks for IBM Bob's General Access release.”

There is a major caveat here, though. For the attackers to leverage this attack vector, users must first configure Bob to grant it broad permissions. Namely, the ‘always allow’ permission needs to be enabled - for any command.

That’s quite the stretch, even for the least security-conscious users out there. Since the tool is still in beta, we don’t know if that permission is enabled by default, but we doubt it will be.

Are you a pro? Subscribe to our newsletterContact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

In any case, Prompt Armor says the vulnerability allows threat actors to deliver an arbitrary shell script payload to the victim, leveraging known and custom malware variants to conduct different cyberattacks, such as ransomware, credential theft, spyware, device takeover, botnet assimilation, and more.

Via; PromptArmor

Best antivirus software headerThe best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Show More Comments

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more ChatGPT logo This 'ZombieAgent' zero click vulnerability allows for silent account takeover - here's what we know    ChatGPT Researchers claim ChatGPT has a whole host of worrying security flaws - here's what they found    A representational concept of a social media network Second-order prompt injection can turn AI into a malicious insider    A person holding out their hand with a digital AI symbol. OpenAI says it's had to protect its Atlas AI browser against some serious security threats    Google Antigravity IDE Google's AI-powered Antigravity IDE already has some worrying security issues - here's what was found    ChatGPT Atlas OpenAI's new Atlas browser may have some extremely concerning security issues, experts warn - here's what we know    Latest in Security ChatGPT logo This 'ZombieAgent' zero click vulnerability allows for silent account takeover - here's what we know    An image depicting a smiling woman using two-factor authentication to seamlessly login in a secure account. NordPass adds built-in TOTP authenticator for personal accounts    Shutterstock.com / kanlaya wanon Congressional staff emails hacked as part of Salt Typhoon campaign    Data leak Personal data on over 700,000 exposed by Illinois government agency    Hands on a laptop with overlaid logos representing network security Vulnerability in Identity Service Engine with exploit code patched by Cisco    A phone sitting on a laptop keyboard with the Microsoft Outlook logo on the screen. Use Classic Outlook? This Microsoft bug might stop you from opening encrypted emails    Latest in News ZeroZero Robotics HoverAir Aqua DJI isn't the only drone maker hit by new US laws – the world's first waterproof selfie drone could be next    In this photo illustration, the Cloudflare logo is seen displayed on a smartphone screen. Cloudflare and La Liga's conflict deepens as piracy legal battle continues    Nvidia RTX 5000 gpu Nvidia’s next-generation RTX 60 series GPUs rumored to be on track to launch next year    Garmin Venu X1 Soft Gold Garmin's closest Apple Watch Ultra rival is getting a soft gold revamp    Two phones on a pink and orange background showing the Google Home app ‘Gemini can't possibly be this stupid' – Google's smart home issues continue    A screenshot of a character speaking to the player in Avowed. Obsidian's Avowed is leaping from Xbox to PS5 next month    LATEST ARTICLES
  1. 1"Americans should be concerned" – digital rights experts respond to the US withdrawal from internet freedom organization
  2. 2IBM's AI 'Bob' could be manipulated to download and execute malware
  3. 3Garmin's closest Apple Watch Ultra rival is getting a soft gold revamp
  4. 4CrowdStrike acquires continuous identity firm SGNL for $740m in push for next-gen security
  5. 5DJI isn't the only drone maker hit by new US laws – the world's first waterproof selfie drone could be next

Related Articles