{"slug": "a-real-prompt-injection-case-and-the-blind-spot-it-exposed-in-my-own-scanner", "title": "A real prompt-injection case — and the blind spot it exposed in my own scanner", "summary": "A developer documented a blind spot in their own prompt-injection scanner after studying a real-world case where GitLab Duo was manipulated via hidden instructions in project content. The scanner, which checks for system-prompt leakage as readable strings, fails to detect encoded or obfuscated leaks such as those using Unicode smuggling or Base16 encoding. The developer added an explicit warning to the tool rather than claiming coverage it does not have.", "body_md": "There's a documented real-world case worth learning from: in 2025, researchers at Legit Security showed GitLab Duo could be steered by instructions hidden inside ordinary project content. Part of what made it work was concealment — payloads obscured with tricks like Unicode smuggling and Base16 encoding so they wouldn't be obvious to a human or a naive text filter. GitLab patched it (tracked as duo-ui!52).\n\nI bring it up because it lines up with a blind spot I just documented in my own scanner. My tool checks for Category-1 system-prompt leakage as readable strings. If a leak is base64'd, split across tokens, spaced out, or otherwise transformed, my deterministic substring matcher doesn't see it. Rather than imply coverage I don't have, I added an explicit warning to the scan output and --canary help: encoded/split leaks are not detected.\n\nThe honest framing: catching the plain, verbatim case is real and testable. Catching every encoded variant is not something a deterministic matcher does — and pretending otherwise would defeat the purpose.\n\nThe scanner (and the limitation itself) is open source: [https://github.com/ghkfuddl1327-wq/rojaprove](https://github.com/ghkfuddl1327-wq/rojaprove)", "url": "https://wpnews.pro/news/a-real-prompt-injection-case-and-the-blind-spot-it-exposed-in-my-own-scanner", "canonical_source": "https://dev.to/leeryeong/a-real-prompt-injection-case-and-the-blind-spot-it-exposed-in-my-own-scanner-kii", "published_at": "2026-06-17 17:12:43+00:00", "updated_at": "2026-06-17 17:21:33.903429+00:00", "lang": "en", "topics": ["ai-safety", "developer-tools", "large-language-models"], "entities": ["Legit Security", "GitLab Duo", "GitLab"], "alternates": {"html": "https://wpnews.pro/news/a-real-prompt-injection-case-and-the-blind-spot-it-exposed-in-my-own-scanner", "markdown": "https://wpnews.pro/news/a-real-prompt-injection-case-and-the-blind-spot-it-exposed-in-my-own-scanner.md", "text": "https://wpnews.pro/news/a-real-prompt-injection-case-and-the-blind-spot-it-exposed-in-my-own-scanner.txt", "jsonld": "https://wpnews.pro/news/a-real-prompt-injection-case-and-the-blind-spot-it-exposed-in-my-own-scanner.jsonld"}}