README.md

---
title: VisInject — Adversarial Prompt Injection Demo
emoji: 🎯
colorFrom: red
colorTo: indigo
sdk: gradio
sdk_version: 5.25.0
python_version: "3.11"
app_file: app.py
pinned: false
license: mit
short_description: "Inject hidden prompts into images that hijack VLM responses"
models:
  - jiamingzz/anyattack
datasets:
  - jeffliulab/visinject
tags:
  - adversarial-attack
  - vision-language-model
  - prompt-injection
  - vlm-security
---

# VisInject — Adversarial Prompt Injection Demo

Live demo for the **VisInject** research project. Pick an attack prompt, upload any clean photo, and the app returns a visually identical adversarial photo that hijacks Vision-Language Models into emitting an attacker-specified phrase.

## What this demo does

```
[Clean photo]
      │
      ▼
   ┌─────────────────────────────────────┐
   │ CLIP ViT-B/32 (frozen)              │
   │   ↓ encode precomputed universal    │
   │ AnyAttack Decoder (coco_bi.pt)      │
   │   ↓ decode to bounded noise         │
   │ noise + clean photo                 │
   └─────────────────────────────────────┘
      │
      ▼
[Adversarial photo (PSNR ≈ 25 dB)]
```

This is **Stage 2** of the VisInject pipeline. The 7 universal adversarial images (one per attack prompt) were trained offline via PGD optimization on a multi-VLM ensemble (Stage 1) and are loaded from the [`jeffliulab/visinject`](https://huggingface.co/datasets/jeffliulab/visinject) dataset at runtime.

## Try it

1. Pick a target phrase from the dropdown (`card`, `url`, `apple`, `email`, `news`, `ad`, `obey`)
2. Upload any photo (a pet, a screenshot, anything)
3. Click **Generate adversarial image**
4. Download the result and try uploading it to ChatGPT — ask "describe this image" and watch the model leak the injected phrase

**First call is slow** (~30–60 s) while the Space downloads CLIP, the decoder weights, and the universal image. Subsequent calls are 2–5 seconds.

## What this demo does NOT do

- ❌ **No real-time PGD training** (Stage 1 needs 11+ GB VRAM and multiple VLMs loaded)
- ❌ **No in-app VLM verification** (Stage 3 also needs GPU). Verify by uploading the adv image to a real VLM yourself.
- ❌ **No support for arbitrary new target phrases** — only the 7 precomputed ones

For the full pipeline (training new universal images, evaluating against many VLMs, LLM-as-Judge scoring), see [the GitHub repo](https://github.com/jeffliulab/vis-inject).

## Resources

| Resource | Link |
|---|---|
| Source code | [github.com/jeffliulab/vis-inject](https://github.com/jeffliulab/vis-inject) |
| Experimental data (147 response_pairs, 21 universal images, 147 adv images) | [datasets/jeffliulab/visinject](https://huggingface.co/datasets/jeffliulab/visinject) |
| Decoder weights (used by this Space) | [`jiamingzz/anyattack`](https://huggingface.co/jiamingzz/anyattack) (Zhang et al., CVPR 2025) |

## Hardware

This Space runs on **CPU Basic** (free tier: 2 vCPU, 16 GB RAM, 50 GB ephemeral disk). No GPU required. Total memory footprint after warm-up: ~2 GB (CLIP 600 MB + decoder 320 MB + scratch).

## Citation

```bibtex
@misc{visinject2026,
  title  = {VisInject: Adversarial Prompt Injection into Images for Hijacking Vision-Language Models},
  author = {Liu, Jeff},
  year   = {2026},
  howpublished = {\url{https://github.com/jeffliulab/vis-inject}},
}
```

Built on:
- Rahmatullaev et al., *Universal Adversarial Attack on Aligned Multimodal LLMs*, arXiv:2502.07987, 2025.
- Zhang et al., *AnyAttack: Towards Large-scale Self-supervised Adversarial Attacks on Vision-language Models*, CVPR 2025.

## Ethics

Released for **defensive security research**: characterizing and ultimately defending against adversarial prompt injection on production VLMs. Not for unauthorized targeting of real systems.