# A real prompt-injection case — and the blind spot it exposed in my own scanner

> Source: <https://dev.to/leeryeong/a-real-prompt-injection-case-and-the-blind-spot-it-exposed-in-my-own-scanner-kii>
> Published: 2026-06-17 17:12:43+00:00

There's a documented real-world case worth learning from: in 2025, researchers at Legit Security showed GitLab Duo could be steered by instructions hidden inside ordinary project content. Part of what made it work was concealment — payloads obscured with tricks like Unicode smuggling and Base16 encoding so they wouldn't be obvious to a human or a naive text filter. GitLab patched it (tracked as duo-ui!52).

I bring it up because it lines up with a blind spot I just documented in my own scanner. My tool checks for Category-1 system-prompt leakage as readable strings. If a leak is base64'd, split across tokens, spaced out, or otherwise transformed, my deterministic substring matcher doesn't see it. Rather than imply coverage I don't have, I added an explicit warning to the scan output and --canary help: encoded/split leaks are not detected.

The honest framing: catching the plain, verbatim case is real and testable. Catching every encoded variant is not something a deterministic matcher does — and pretending otherwise would defeat the purpose.

The scanner (and the limitation itself) is open source: [https://github.com/ghkfuddl1327-wq/rojaprove](https://github.com/ghkfuddl1327-wq/rojaprove)