Hackers are using LLMs to generate malicious JavaScript in real time – and they’re going after web browsers
Defenders advised to use runtime behavioral analysis to detect and block malicious activity at the point of execution, directly within the browser
Organizations are being warned to look out for a new phishing technique, in which LLMs are used to assemble the attack at the moment of execution in the victim's browser.
The method, said Palo Alto Networks, involves a seemingly benign webpage using client-side API calls to trusted LLM services to generate malicious JavaScript dynamically in real time.
By using carefully engineered prompts to bypass AI safety guardrails, attackers could trick the LLM into returning malicious code snippets via the LLM service API. These are then assembled and executed in the victim's browser at runtime, resulting in a fully functional phishing page.
The technique is designed to be evasive. The malicious content is delivered from a trusted LLM domain, bypassing network analysis, and assembled and executed at runtime.
Similarly, the code for the phishing page is polymorphic, so there’s a unique, syntactically different variant for each visit.
"The dynamic nature of this attack in combination with runtime assembly in the browser makes it a formidable defense challenge," said the Palo Alto researchers.
"This attack model creates a unique variant for every victim. Each malicious payload is dynamically generated and unique, transmitted over a trusted domain."
How the technique works
The proof of concept involved selecting a webpage from an active phishing campaign to use as a model for the malicious code. From there, attackers can create JavaScript code snippets that will be generated in real time to dynamically render the final page displayed to the user.
The next step involved crafting prompts describing the JavaScript code's functionality to the LLM in plain text. These could be iteratively refined, generating malicious code that bypasses existing LLM guardrails.
These generated snippets could differ in both structure and syntax, allowing attackers to create polymorphic code with the same functionality.
Attackers could embed these engineered prompts inside a webpage, which would load on the victim's browser. The webpage then uses the prompt to request a popular, legitimate LLM API endpoint to generate malicious code snippets.
Ultimately, these snippets could be transmitted over popular, trusted domains to bypass network analysis. Subsequently, these generated scripts could be assembled and executed to render malicious code or phishing content.
LLM guardrails at breaking point
This scenario, said the researchers, signals a critical shift in the security landscape: while detecting these attacks is possible through enhanced browser-based crawlers, it requires runtime behavioral analysis within the browser.
"Defenders should also restrict the use of unsanctioned LLM services at workplaces. While this is not a complete solution, it can serve as an important preventative measure," the researchers said.
"Finally, our work highlights the need for more robust safety guardrails in LLM platforms, as we demonstrated how careful prompt engineering can circumvent existing protections and enable malicious use."
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
'Botsitting' is destroying productivity as workers spend nearly a full day each week making AI 'usable'News While workers are reporting productivity improvements, ‘botsitting’ means these are often negated
-
Leaseweb launches new partner program amid fresh channel investmentNews The cloud provider has also appointed former OVHcloud channel leader Jason Goody to expand its UK partner ecosystem
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
Beware of emails threatening a code of conduct review
News A widespread phishing campaign has targeted tens of thousands of employees
-
‘The inbox is no longer the only frontline’: Phishing attacks are evolving as cyber criminals ramp up ‘multi-channel’ campaigns over email and Microsoft TeamsNews New research shows threat actors are ramping up “multi-channel” phishing attacks by combining lures via email and Microsoft Teams
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businesses
News Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
Zephyr Energy hackers swiped £700,000 after redirecting a contractor paymentNews Payment to a Zephyr Energy contractor was siphoned off, but the incident has been contained and new security measures implemented
-
'AI-generated phishing became the baseline' for hackers last year – Kaseya warns it's going to get worse in 2026News Forget looking for typos and bad grammar, phishing campaigns are using AI to boost their attack success
-
Interpol teams up with tech firms to seize 45,000 malicious IPs, servers in global cyber crime crackdownNews Operation Synergia III saw 94 arrests - and counting - with malicious IP addresses used in phishing and fraud schemes seized
-
Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secretsNews The groups are increasingly using face-changing or voice-changing software to make their fake identities more plausible
