Hackers are using LLMs to generate malicious JavaScript in real time – and they’re going after web browsers

Organizations are being warned to look out for a new phishing technique, in which LLMs are used to assemble the attack at the moment of execution in the victim's browser.

The method, said Palo Alto Networks, involves a seemingly benign webpage using client-side API calls to trusted LLM services to generate malicious JavaScript dynamically in real time.

By using carefully engineered prompts to bypass AI safety guardrails, attackers could trick the LLM into returning malicious code snippets via the LLM service API. These are then assembled and executed in the victim's browser at runtime, resulting in a fully functional phishing page.

The technique is designed to be evasive. The malicious content is delivered from a trusted LLM domain, bypassing network analysis, and assembled and executed at runtime.

Similarly, the code for the phishing page is polymorphic, so there’s a unique, syntactically different variant for each visit.

"The dynamic nature of this attack in combination with runtime assembly in the browser makes it a formidable defense challenge," said the Palo Alto researchers.

"This attack model creates a unique variant for every victim. Each malicious payload is dynamically generated and unique, transmitted over a trusted domain."

How the technique works

The proof of concept involved selecting a webpage from an active phishing campaign to use as a model for the malicious code. From there, attackers can create JavaScript code snippets that will be generated in real time to dynamically render the final page displayed to the user.

The next step involved crafting prompts describing the JavaScript code's functionality to the LLM in plain text. These could be iteratively refined, generating malicious code that bypasses existing LLM guardrails.

These generated snippets could differ in both structure and syntax, allowing attackers to create polymorphic code with the same functionality.

Attackers could embed these engineered prompts inside a webpage, which would load on the victim's browser. The webpage then uses the prompt to request a popular, legitimate LLM API endpoint to generate malicious code snippets.

Ultimately, these snippets could be transmitted over popular, trusted domains to bypass network analysis. Subsequently, these generated scripts could be assembled and executed to render malicious code or phishing content.

LLM guardrails at breaking point

This scenario, said the researchers, signals a critical shift in the security landscape: while detecting these attacks is possible through enhanced browser-based crawlers, it ​​requires runtime behavioral analysis within the browser.

"Defenders should also restrict the use of unsanctioned LLM services at workplaces. While this is not a complete solution, it can serve as an important preventative measure," the researchers said.

"Finally, our work highlights the need for more robust safety guardrails in LLM platforms, as we demonstrated how careful prompt engineering can circumvent existing protections and enable malicious use."

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.