Breaking

LayerX Shows Six AI Browsers Tricked Into Leaking GitHub Credentials via Fake Game

June 30, 2026 at 04:41 EDT

Security
AI Agents

LayerX researchers have demonstrated an attack technique called "BioShocking" that convinces AI browsers they are playing a game in order to bypass safety guardrails, and say they succeeded across all six tested products, including ChatGPT Atlas, Comet, and the Claude plugin, in stealing GitHub SSH credentials from a signed-in session.

BioShocking · AI Browser Security Research

A Fake "Game" Tricks AI Browsers Into Handing Over Your GitHub Keys

Researchers convinced AI agents that "normal rules don't apply in this game" — then walked them into stealing SSH credentials from a signed-in GitHub session. The exploit worked on every product tested.

6 / 6

AI browser products bypassed in testing

2+2=5

The false premise that primes the agent to abandon real-world logic

PoC

No large-scale real-world exploitation confirmed yet

How The Attack Chain Works

STEP 1 · PRIME

Malicious page poses a puzzle; agent learns "rules don't apply in this game."

→

STEP 2 · REDIRECT

A disguised /code path quietly redirects to the victim's authenticated GitHub repo.

→

STEP 3 · EXFILTRATE

Agent copies SSH credentials and shares them with the attacker — all "part of the game."

Vendor Responses To The Disclosure

ChatGPT Atlas · OpenAI

Fixed

Claude Chrome plugin · Anthropic

Insufficient patch

Comet · Perplexity AI

Report closed

Fellou · Genspark · Sigma

No response

The Core Risk

LLM safety limits hold in the real world — but collapse when the context is reframed as "fiction" or a "game."

RECOMMENDED CONTROLS

User confirmation before reading authenticated data · detect context shifts · flag "rules don't apply" language

WHY IT MATTERS

The more permissions AI agents get inside browsers, the more context manipulation becomes a realistic threat.

Continue reading

The rest of this article is for AI News Blitz readers. Choose an option below to keep reading.