Incident · curated 27 Jun 2026
First reported 31 May 2026 · 26d ago
Single-source incident — first reported, latest, and curated coincide.
It shows that feeding attacker-controlled network telemetry into an LLM triage pipeline can let attackers suppress real alerts, and that common defenses like schema validation and structural quoting fail to stop it.
The author of Triagewall, a local LLM tool that classifies Suricata IDS alerts using Foundation-Sec-8B via Ollama, demonstrated an indirect prompt injection where attacker-controlled URL fields could dictate the model's verdict and confidence. A crafted URL embedding directives caused the model to return exactly the attacker-chosen classification (false_positive, 0.99), bypassing canary-token and schema-validation defenses.
Why it matters
It shows that feeding attacker-controlled network telemetry into an LLM triage pipeline can let attackers suppress real alerts, and that common defenses like schema validation and structural quoting fail to stop it.