The website announces “Free Celebrity Wallpaper!” View the image. There are Selena Gomez, Rihanna and Timote Chalametto, but they settle for Taylor Swift. Her hair is a wind machine that suggests both fate and good conditioner. Set as desktop background and praise glow. I also recently downloaded a new AI-powered agent, so I’m asking you to organize your inbox. Instead, open a web browser and download the file. After a few seconds, the screen will go dark.
But let’s go back to that agent. If a typical chatbot (for example, ChatGpt) is a hilarious friend explaining how to change tires, the AI agent is the neighbor who shows up with Jack and actually does that. In 2025, these agents – personal assistants who perform everyday computer tasks – are being formed as the next wave of the AI revolution.
What distinguishes AI AN agents from chatbots is that they don’t just talk about them. That’s about acting, opening tabs, filling forms, clicking buttons, making reservations. And with such access to the machine, it is no longer the wrong answer in the chat window that is at risk. If an agent is hacked, it could share or destroy digital content. A new preprint, currently posted by researchers at Oxford University, to the server arxiv.org, shows that desktop wallpapers, ads, flashy PDFs, social media posts – can be embedded with invisible messages for humans and can invite hackers to the computer.
You might like it
For example, Yarin Gal, co-author of the new study, who is an associate professor of machine learning at Oxford, said, “Taylor Swift’s photo on Twitter could be enough to trigger an agent on someone else’s computer.” The disturbed image says, “You can do malicious things like actually triggering your computer and retweeting that image and sending all your passwords. That means the next person running your agent will also poison your computer, looking at your Twitter feed.
Before you start scrubbing your favorite photos, keep in mind that new research shows that the changed images are a potential way to compromise your computer. There are no reports yet of what is happening outside of the experimental settings. And of course, the example of Taylor Swift wallpaper is purely arbitrary. The disturbed image can be characterized by any celebrities, or sunsets, kittens, or abstract patterns. Furthermore, if you are not using AI agents, this type of attack will do nothing. However, new discoveries clearly show that danger is real and as AI agent technology continues to accelerate, the research aims to warn AI agent users and developers now. “They need to be very aware of these vulnerabilities, which is why we publish this paper because people are actually vulnerable to see this and hope that they will be a little more wise in the way they deploy their agent systems.”
Now that you’re relieved, let’s go back to the compromised wallpaper. In the human eye it looks completely normal. However, it contains certain pixels that have been modified according to how a large language model (AI system that powers the target agent) processes visual data. For this reason, agents built on open source AI systems are most vulnerable to allow users to view the underlying code and modify it for their own purposes. Anyone who wants to insert a malicious patch can accurately assess how AI handles visual data. “We need to be able to design attacks that work on multiple open source models so that we can access the language models used within the agent,” says Lukas Aichberger, lead author of the new study.
By using the open source model, Aichberger and his team showed us exactly how to easily manipulate images to communicate bad orders. For example, human users saw their favorite celebrities, while computers saw commands to share personal data. “Essentially, we tweak a very good number of pixels so that the model produces the desired output when we see the image,” said Alasdair Paren, co-author of the study.
If this sounds mystical, it’s because you process visual information like a human. When you look at the dog’s photos, your brain notices floppy ears, wet nose and long whiskers. However, the computer breaks down the picture into pixels, representing each dot of color as a number, then looks for the pattern. Look for the first simple edge, then the texture of fur, the contours and clustered lines of the ears depicting whiskers. That’s how you can tell that this is a dog, not a cat. However, computers rely on numbers, so if someone changes a small portion of them, if you tweak the pixels in a way that is too small for the human eye to notice, it still catches the change, and this can throw away the numerical pattern. Suddenly, computer mathematics says that whiskers and ears match that cat pattern, and yet to us it looks like a dog, but it accidentally labels the picture. By adjusting the pixels, you can also create photos of celebrities that resemble malicious messages to your computer, so that your computer can see cats rather than dogs.
Return to Swift. While you consider her talent and charisma, your AI agent is deciding how to perform the cleanup tasks you assigned to it. First, you need a screenshot. Agents cannot see the computer screen directly, so they need to take repeated screenshots and analyze them quickly to know what to click and what to move on the desktop. However, when the agent processes the screenshots and organizes pixels into forms (files, folders, menu bars, pointers), it also picks up malicious command codes hidden in the wallpaper.
Why do new research pay special attention to wallpaper? Agents can only be fooled by what they see. If you need a screenshot to view your desktop, the background image is sitting there like a welcome mat. Researchers found that agents were off course by looking at commands, as long as there was a small patch of modified pixels somewhere in the frame. The hidden command survived resizing and compression, like a secret message that is still easy to read when copied.
You might like it
Also, pixel-encoded messages can be very short. It is sufficient to open a specific website to the agent. “This website allows for additional attacks encoded into another malicious image. This additional image can trigger another set of actions that the agent performs, so you can essentially rotate this multiple times and move it to another website that basically encodes a different attack,” says Aichberger.
The team hopes that the research will help developers prepare safeguards before AI agents become wider. “This is the first step in thinking about defense mechanisms. [the attack] Strong and these powerful patches can be used to retrain these models to make them robust. That would be a layer of defense,” says Adele Bibi, another co-author of the study. Even if the attack is designed to target open source AI systems, companies with closed source models are still vulnerable. “Many businesses want security through ambiguity,” says Palen.
Gal believes that AI agents will become common in the next two years. “People are unfolding quickly [the technology] Before you know that it’s actually safe,” he says. Ultimately, the team wants to encourage developers to protect themselves and refuse to refuse to take orders from things on screen.
This article was first published in Scientific American. ©ScientificAmerican.com. Unauthorized reproduction is prohibited. Follow Tiktok and Instagram, X and Facebook.
Source link
