Unicode variation selectors for invisible LLM injection (code.lol)

A new steganographic technique leveraging Unicode variation selectors (U+E0100–U+E017F) has been demonstrated as a potential method for invisible prompt injection attacks on large language models (LLMs). By encoding hidden ASCII characters within these typically invisible Unicode codepoints, malicious users could embed secret instructions into seemingly benign text inputs. This poses a unique security challenge because LLMs like ChatGPT can detect and interpret these hidden sequences even though they are not visually apparent, potentially allowing covert manipulation of model behavior. While initial experiments showed ChatGPT can “see” these secret values, crafting a hidden prompt strong enough to override visible instructions remains difficult. Attackers might combine this technique with homoglyphs or zero-width spaces to further obfuscate visible text, reducing its influence relative to the concealed payload. This raises concerns for scenarios involving direct copy-paste into prompt boxes, signaling a novel vector for subtle adversarial inputs that bypass traditional filtering. The AI community should consider bolstering defenses by training LLMs to recognize and reject suspicious Unicode steganography during post-training fine-tuning, alongside conventional detection mechanisms that flag malformed or unusual Unicode patterns. This approach could help harden models against evolving covert injection strategies, ensuring more robust and transparent language generation going forward.