TZUTC: -0500   
   MSGID: 1943.consprcy@1:2320/105 2dc7a13c   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   IBM's AI 'Bob' could be manipulated to download and execute malware   
      
   Date:   
   Fri, 09 Jan 2026 16:50:00 +0000   
      
   Description:   
   Bob is also susceptible to indirect prompt injection, but only under specific   
   conditions.   
      
   FULL STORY   
      
   IBMs Generative Artificial Intelligence ( GenAI ) tool, Bob, is susceptible    
   to the same dangerous attack vector as most other similar tools - indirect   
   prompt injection.    
      
   Indirect prompt injection is when the AI tool is allowed to read the contents   
   found in other apps, such as email, or calendar.    
      
   A malicious actor can then send a seemingly benign email, or calendar entry,   
   which has a hidden prompt that instructs the tool to do nefarious things,    
   such as exfiltrate data, download and run malware , or establish persistence.   
      
   Risky permissions    
      
   Recently, security researchers Prompt Armor published a new report, stating   
   that IBMs coding agent, which is currently in beta, can be accessed either   
   through CLI (a terminal-based coding agent), or IDE (an AI-powered editor).   
   CLI is vulnerable to prompt injection, while IDE is vulnerable to known   
   AI-specific data exfiltration vectors.    
      
   We have opted to disclose this work publicly to ensure users are informed of   
   the acute risks of using the system prior to its full release, they said. We   
   hope that further protections will be in place to remediate these risks for   
   IBM Bob's General Access release.    
      
   There is a major caveat here, though. For the attackers to leverage this   
   attack vector, users must first configure Bob to grant it broad permissions.   
   Namely, the always allow permission needs to be enabled - for any command.    
      
   Thats quite the stretch, even for the least security-conscious users out   
   there. Since the tool is still in beta, we dont know if that permission is   
   enabled by default, but we doubt it will be.    
      
   In any case, Prompt Armor says the vulnerability allows threat actors to   
   deliver an arbitrary shell script payload to the victim, leveraging known and   
   custom malware variants to conduct different cyberattacks, such as    
   ransomware, credential theft, spyware, device takeover, botnet assimilation,   
   and more.    
      
    Via; PromptArmor    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/ibms-ai-bob-could-be-manipulated-to-dow   
   nload-and-execute-malware   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: Capitol City Online (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 134 206 275 300 307 317 400 426 428   
   SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200   
   SEEN-BY: 396/45 460/58 633/280 712/848 902/26 2320/0 105 107 304 3634/12   
   SEEN-BY: 5075/35   
   PATH: 2320/105 229/426