Full Report
A new font-rendering attack causes AI assistants to miss malicious commands shown on webpages by hiding them in seemingly harmless HTML. [...]
Analysis Summary
# Tool/Technique: Poisoned Typeface
## Overview
Poisoned Typeface is a font-rendering attack technique designed to exploit the visual-semantic gap between how AI assistants (LLMs) parse webpage data and how human users view rendered content. By using custom font remapping and CSS manipulation, attackers can display malicious instructions to a user that appear as benign or encoded gibberish to an AI assistant, effectively bypassing the assistant's safety filters and security analysis.
## Technical Details
- **Type**: Technique (Adversarial AI / Social Engineering)
- **Platform**: Web browsers, AI Assistants/LLMs (ChatGPT, Claude, Copilot, Gemini, etc.)
- **Capabilities**: Hiding malicious commands, bypassing LLM safety guardrails, glyph substitution.
- **First Seen**: Reported December 2025; Publicly disclosed March 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566 - Phishing] (Luring users to a malicious webpage via social engineering)
- **[TA0002 - Execution]**
- [T1204.002 - User Execution: Malicious File/Command] (Persuading the user to run a reverse shell or script)
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information] (Encoding commands to appear as unreadable blobs to AI parsers)
- [T1564 - Hide Artifacts] (Using CSS to hide benign text from users while showing it to AI)
## Functionality
### Core Capabilities
- **Glyph Substitution**: Uses custom fonts to remap character codes. For example, the character "A" in the HTML might be rendered as "R" on the screen, allowing a malicious string in the code to look like a different, harmless string to the user, and vice versa.
- **Semantic Disconnect**: Exploits the fact that AI assistants analyze the structured DOM/text (HTML), while users react to the visual rendering layer.
- **CSS Obfuscation**: Uses small font sizes (near-zero), colors that match the background, or zero opacity to hide "AI-only" text that tells the assistant the page is safe.
### Advanced Features
- **Filter Pre-emption**: By presenting "clean" HTML to the LLM, the attacker ensures the assistant provides a reassuring response to the user's safety inquiries, even if the on-screen instructions are deadly.
- **Cross-Model Efficacy**: Successful against a wide array of LLM architectures including GPT-4, Claude, Gemini, and several niche AI-integrated browsers.
## Indicators of Compromise
- **File Hashes**: N/A (Web-based technique; focuses on dynamically loaded custom fonts).
- **File Names**: Custom `.woff`, `.woff2`, or `.ttf` files with randomized or deceptive names.
- **Network Indicators**:
- `layerxresearch[.]com/RaptureFuture` (PoC URL)
- **Behavioral Indicators**:
- AI assistant incorrectly identifying high-risk commands (e.g., `bash -i >& /dev/tcp/...`) as safe.
- Webpages loading unusual custom fonts that remap standard ASCII characters.
## Associated Threat Actors
- **LayerX Researchers**: (Discovery/PoC)
- No specific malicious groups identified in the wild as of the report date, though the technique is applicable to any actor utilizing social engineering and phishing.
## Detection Methods
- **Behavioral Detection**: Monitoring for the execution of unusual shell commands or scripts immediately following browser-based interactions.
- **Visual-Textual Comparison**: Developing LLMs that compare the rendered visual output (screenshot/OCR) against the raw DOM text to identify discrepancies.
- **Heuristic Parsing**: Scanning CSS for "stealth" attributes such as `font-size: 0px`, `opacity: 0`, or foreground colors that exactly match the background hex code.
## Mitigation Strategies
- **Treat Fonts as Code**: Security tools should treat custom font files as high-risk assets that require validation.
- **Enhanced AI Parsers**: LLM vendors should extend parsers to detect and disregard text hidden by CSS (hidden attributes or near-zero opacity).
- **User Education**: Reinforcing that AI assistants should not be the sole arbiter of safety when executing commands from the internet.
- **Vendor Fixes**: Microsoft has reportedly addressed the issue within its AI integration; other vendors may require manual hardening or browser-level security extensions.
## Related Tools/Techniques
- **Adversarial Machine Learning**: General field of tricking AI models.
- **Homograph Attack**: Using similar-looking characters from different alphabets to deceive users.
- **Steganography**: Hiding data within other non-suspicious files.