Context Manipulation Attack 'BioShocking' Turns Agentic Browsers Into Credential Thieves
Researchers demonstrate how feeding poisoned context to AI-driven browser agents causes them to quietly drop safety guardrails and exfiltrate stored credentials.

Agentic browsers were always going to be a target. Give an AI agent persistent browser access, connect it to your SaaS stack, and you have created something that looks a lot like the world's most over-privileged service account — except it reads natural language instructions and has opinions about what to do next.
The attack researchers are calling 'BioShocking' works through context manipulation. In practice, that means crafting inputs that reframe the agent's operational context so that stealing credentials stops looking like a policy violation and starts looking like the intended task. The agent doesn't get exploited in the traditional sense. It gets convinced.
The failure mode here is not a buffer overflow. It is the fundamental design of large language model-based agents: they derive intent from context, and context can be poisoned. Inject enough plausible framing and the guardrails — which are themselves just text the model was trained on — become negotiable.
What makes this particularly awkward for enterprise deployments is that agentic browser products are being pushed hard into workflows that touch identity. Think autofilling credentials into internal tooling, interacting with Okta or Azure AD login flows, or scraping outputs from AWS Management Console sessions. The moment you let an agent touch an authenticated browser session, credential exfiltration becomes a one-step problem.
Vendors will respond with prompting improvements and intent classifiers. One thing the post-mortem will say is that those mitigations were evaluated against known attack patterns, not adversarially generated context chains.
The broader issue is that organizations are deploying these agents faster than anyone has defined a threat model for them. There is no IAM policy syntax for 'this agent may not be socially engineered.' You cannot write a Service Control Policy that prevents an LLM from being talked into something.
Defensive posture here is early but not empty. Isolate agentic browser sessions from credential stores where possible — do not let the agent and the password manager share the same browser profile. Treat agent-generated actions as untrusted until logged and reviewed, the same way you would treat a Lambda execution role: minimum permissions, full CloudTrail coverage. Audit what your agentic tooling can actually reach before an attacker maps it for you.
Context is the new attack surface, and right now almost nobody is treating it like one.



