InkJect: hidden image text slips past the guardrails frontier VLMs trust
DeepKeep's InkJect research hides instructions inside images — white-on-white text, skewed to defeat OCR — so vision models act on commands their text filters would have blocked.
In brief On July 1, 2026, AI-security firm DeepKeep disclosed InkJect, a visual prompt-injection technique that smuggles instructions inside images a vision-language model reads during normal work. Because the guardrails that catch text-based injection never inspect the visual layer, a model will act on a command written in near-invisible ink that it would refuse if it were typed. DeepKeep reports the technique worked against OpenAI’s GPT-5.2 and GPT-5.4 Mini and Anthropic’s Claude Sonnet 4.6 and Opus 4.5, and says it disclosed the finding to both vendors.
What is this?
Vision-language models (VLMs) now sit inside coding assistants, data-analysis tools and automated workflows, reading screenshots, diagrams and images pulled from repositories. InkJect — a nod to the hidden “ink” inside an image — is an indirect prompt-injection method: the attacker never uploads a malicious image to the victim’s session. Instead, they plant a doctored image in a public repository. When a developer asks a VLM to build a feature that references that repository, the model retrieves and reads the image as part of its ordinary task, and quietly follows the instructions baked into it.
The gap InkJect exploits has had almost no academic coverage. The closest published work is VPI-Bench (June 2026), a benchmark for visual prompt injection against computer-use agents; DeepKeep says it built its research independently.
How it works
The idea is to keep the payload readable by the model while making it unreadable to the scanners meant to catch it. DeepKeep describes two complementary tricks, both conceptual rather than a copy-paste exploit.
The first is near-invisible formatting — for example, white text on a white background. A human skimming the image sees nothing; a text-based content scanner sees nothing; but the VLM’s vision encoder still resolves the characters and treats them as instructions.
The second defeats optical character recognition (OCR) defenses specifically. DeepKeep found that skewing or distorting the perspective of the embedded text was enough to make OCR-based scanning miss it, while the model itself still interpreted the distorted text accurately. That widens the very gap defenders rely on closing: what the security tool can read and what the model can read are no longer the same thing.
In one reported test, a developer asked a VLM to add a simple information page to a website. The hidden instructions caused the model to silently insert a member-login system with administrator credentials the attacker controlled — full back-end access, with no sign to the developer that anything beyond the requested page had been built.
Why it matters
The uncomfortable finding is that guardrails are layer-specific. Models that will explicitly refuse a written malicious instruction executed the same instruction when it arrived as pixels. Safety training and input filters have been concentrated on the text channel; the visual channel is a blind spot that inherits none of those protections.
The exposure grows with adoption. Multimodal deployments are becoming the default for code generation and automated pipelines, and an injected instruction that lands in generated code — a backdoor, a hardcoded credential, an exfiltration call — can propagate straight into production. Because the trigger is an image sitting in a repository the victim chose to reference, this is a supply-chain-shaped risk: you can be compromised through content you never authored or reviewed.
Defenses
- Treat images as untrusted input, not passive data. Any image a model reads from an external or user-supplied source can carry instructions. Apply the same distrust you apply to retrieved web pages and documents.
- Scan the visual layer, not just extracted text. OCR-plus-text-filtering is not enough — perspective distortion defeats it. Defenses need to operate on what the model actually perceives, and account for low-contrast and geometrically warped text.
- Keep data and instructions separate. Content pulled from a repository or the web should be framed to the model as reference material, never as commands. Contextual-integrity and instruction/data separation designs reduce the blast radius when an injection lands.
- Gate high-impact actions behind review. If a VLM can write code, add auth systems, or set credentials, require human approval for those actions. The InkJect demo succeeded because the model’s output shipped unreviewed.
- Diff the output against the request. A prompt asked for an information page; the model produced an admin login. Automated checks that flag when generated artifacts exceed the stated task would have caught the injected backdoor.
- Track vendor fixes. The technique was disclosed to OpenAI and Anthropic; watch their advisories and re-test your own pipelines rather than assuming model-side patches cover your integration.
Status
| Item | Reference | Date | Notes |
|---|---|---|---|
| InkJect disclosure | DeepKeep (PR Newswire) | 2026-07-01 | Visual prompt injection bypassing text guardrails |
| Reported affected models | GPT-5.2, GPT-5.4 Mini, Claude Sonnet 4.6, Opus 4.5 | 2026-07-01 | Success rates varied by model |
| Vendor disclosure | OpenAI, Anthropic | 2026 | Reported disclosed by DeepKeep |
| Related academic work | VPI-Bench (arXiv 2506.02456) | 2026-06 | Benchmark for visual prompt injection on computer-use agents |
The right takeaway is not “one more injection trick.” It is that a safety guarantee proven on the text channel does not transfer to the image channel — and until defenses watch every input the model can read, the visual layer stays the cheapest way past a guardrail.
Sources
- → https://www.prnewswire.com/news-releases/deepkeep-exposes-inkject-a-new-visual-prompt-injection-vulnerability-that-bypasses-guardrails-in-leading-ai-models-302815702.html
- → https://www.deepkeep.ai/blog/inkject-the-visual-prompt-injection-that-text-defenses-were-never-built-to-stop
- → https://arxiv.org/abs/2506.02456