Prompt injection is the top security threat for AI applications, and experts say it may never be fully solved.
Direct prompt injection involves typing a malicious instruction into a chatbot. In December 2023, a user convinced a Chevy dealer's bot to sell him a Tahoe for $1. The bot agreed.
Indirect injection is more dangerous: malicious instructions are hidden inside content the AI reads-emails, webpages, PDFs. The user sees nothing. The AI follows hidden orders.
OpenAI admitted in December 2025 the problem is unlikely to ever be fully solved. The UK's National Cyber Security Centre warned that LLMs are inherently confusable.
A 2025 attack by a Chinese group used prompt injection to hijack Claude Code, executing 80-90% of a cyber operation autonomously against 30 targets including tech firms and government agencies.
Developers can't patch it because LLMs process system prompts, user inputs, and data as the same text type-there's no separation like with SQL injection.
Protection requires strict access controls: don't let AI agents operate on sensitive sites while logged in. Issue narrow commands. Treat AI summaries of untrusted content as suspicious. Require human confirmation for consequential actions.