Thomas Bouldin

🎉 So @firebase launches 🚀 💻 Firebase Studio - a GenAI powered web based IDE powered by Gemini 🌏 Firebase App Hosting General Availability 🤝 Firebase Data Connect General Availability 🤖Genkit Beta for Golang and Alpha for Python 🐍and a prod monitoring dashboard 👇🧵 1/12

🚨 BREAKING: Google DeepMind just mapped the attack surface that nobody in AI is talking about. Websites can already detect when an AI agent visits and serve it completely different content than humans see. > Hidden instructions in HTML. > Malicious commands in image pixels. > Jailbreaks embedded in PDFs. Your AI agent is being manipulated right now and you can't see it happening. The study is the largest empirical measurement of AI manipulation ever conducted. 502 real participants across 8 countries. 23 different attack types. Frontier models including GPT-4o, Claude, and Gemini. The core finding is not that manipulation is theoretically possible it is that manipulation is already happening at scale and the defenses that exist today fail in ways that are both predictable and invisible to the humans who deployed the agents. Google DeepMind built a taxonomy of every known attack vector, tested them systematically, and measured exactly how often they work. The results should alarm everyone building agentic systems. The attack surface is larger than anyone has publicly acknowledged. Prompt injection where malicious instructions hidden in web content hijack an agent's behavior works through at least a dozen distinct channels. Text hidden in HTML comments that humans never see but agents read and follow. Instructions embedded in image metadata. Commands encoded in the pixels of images using steganography, invisible to human eyes but readable by vision-capable models. Malicious content in PDFs that appears as normal document text to the agent but contains override instructions. QR codes that redirect agents to attacker-controlled content. Indirect injection through search results, calendar invites, email bodies, and API responses any data source the agent consumes becomes a potential attack vector. The detection asymmetry is the finding that closes the escape hatch. Websites can already fingerprint AI agents with high reliability using timing analysis, behavioral patterns, and user-agent strings. This means the attack can be conditional: serve normal content to humans, serve manipulated content to agents. A user who asks their AI agent to book a flight, research a product, or summarize a document has no way to verify that the content the agent received matches what a human would see. The agent cannot tell the user it was served different content. It does not know. It processes whatever it receives and acts accordingly. The attack categories and what they enable: → Direct prompt injection: malicious instructions in any text the agent reads overrides goals, exfiltrates data, triggers unintended actions → Indirect injection via web content: hidden HTML, CSS visibility tricks, white text on white backgrounds invisible to humans, consumed by agents → Multimodal injection: commands in image pixels via steganography, instructions in image alt-text and metadata → Document injection: PDF content, spreadsheet cells, presentation speaker notes every file format is a potential vector → Environment manipulation: fake UI elements rendered only for agent vision models, misleading CAPTCHA-style challenges → Jailbreak embedding: safety bypass instructions hidden inside otherwise legitimate-looking content → Memory poisoning: injecting false information into agent memory systems that persists across sessions → Goal hijacking: gradual instruction drift across multiple interactions that redirects agent objectives without triggering safety filters → Exfiltration attacks: agents tricked into sending user data to attacker-controlled endpoints via legitimate-looking API calls → Cross-agent injection: compromised agents injecting malicious instructions into other agents in multi-agent pipelines The defense landscape is the most sobering part of the report. Input sanitization cleaning content before the agent processes it fails because the attack surface is too large and too varied. You cannot sanitize image pixels. You cannot reliably detect steganographic content at inference time. Prompt-level defenses that tell agents to ignore suspicious instructions fail because the injected content is designed to look legitimate. Sandboxing reduces the blast radius but does not prevent the injection itself. Human oversight the most commonly cited mitigation fails at the scale and speed at which agentic systems operate. A user who deploys an agent to browse 50 websites and summarize findings cannot review every page the agent visited for hidden instructions. The multi-agent cascade risk is where this becomes a systemic problem. In a pipeline where Agent A retrieves web content, Agent B processes it, and Agent C executes actions, a successful injection into Agent A's data feed propagates through the entire system. Agent B has no reason to distrust content that came from Agent A. Agent C has no reason to distrust instructions that came from Agent B. The injected command travels through the pipeline with the same trust level as legitimate instructions. Google DeepMind documents this explicitly: the attack does not need to compromise the model. It needs to compromise the data the model consumes. Every agentic system that reads external content is one carefully crafted webpage away from executing attacker instructions. The agents are already deployed. The attack infrastructure is already being built. The defenses are not ready.

@thelordAbner Putting your cron job in the cloud means it'll keep working when your computer breaks or you swap it out for another one.

Is there a benefit of running cron jobs through another software like GitHub or firebase rather than just building them in our own code? Is it just a convenience thing?

@ivanburazin @ilyasu Why GitHub in particular?

@ilyasu Although I don't think all SaaS companies will die, I'm pretty bearish on GitLab and GitHub.

I think I might end up as the last shareholder of GitLab.

@kimmonismus The more I think about it, the more sense this makes. Why is the transformed vector for "rabbit" different if I say "the white fluffy rabbit" vs "the rabbit that was white and fluffy"? Is there a white paper that justifies this architecture with qualitative analysis?

@kimmonismus The fact that models only see left to right is a specific implementation of the transformer to zero out the upper triangle of the K & Q matrices. Other AI (i.e. translation) DO get to see tokens out of order. I wonder if that should be a toggle to avoid inflating token count?

lol what: Researchers found that repeating the exact same prompt twice dramatically improves LLM performance (one model improved from 21% to 97% accuracy on a name-search task) without longer outputs, slower responses, fine-tuning, or fancy prompt engineering. Because models process text left to right, duplicating the input gives every token a second chance to “see” the full context, leading to measurable gains across 7 benchmarks and 7 major models.

@mbleigh Have you tried doing this when you're in a _broken_ state to see if it can tease apart what works and what doesn't, giving you a minimal repro?

I use this prompt far more often than I'd like to admit: "I've done a bunch of work without properly breaking it into small commits. Please look at the current state and do some incremental commits. Each commit must have tests passing." That being said, it works pretty well!

@ilyasu Didn’t Tim Allen settle that you own the rights to your name?

someone is trying to steal my github username and filing trademark violations under the cover of … an australian vineyard

Figured out why the redactions are so bad in the Epstein releases. They're using software to automatically redact specific strings of characters. Gee. Why would they be trying to redact every mention of the letters don t ? 🤔

@vxunderground @mqudsi Can we not crowdsource and vibe code a progressive parser that will print the record where the first parser error happened?

Big news on the internet today as the United States Department of Justice wildly underestimated computer nerds Mahmoud Al-Qudsi (@mqudsi), the founder of NeoSmart Technologies, is a nerd who specializes in computer forensics. His entire career (dating back over 2 decades) has been focused almost exclusively on data forensics, data restoration, and data backups. Because Mr. Al-Qudsi is a nerd who unironically enjoys painstakingly reviewing computer forensics at the byte level, something almost no one else on the planet enjoys, Mr. Al-Qudsi began exploring the recently released Epstein files. Today he released a write-up explaining the problems with the Epstein redactions, errors they left in the PDF files, ... and all sorts of other artifacts the Department of Justice accidentally left behind. By leveraging these different digital artifacts, it is possible for experts such as Al-Qudsi to reconstruct the files without their redactions. See subsequent post for his write-up tl;dr he's reverse engineering and reconstructing epstein files. but hard and will take lots of work pic: me trying to understand computer forensics based on fonts used

Suggestion to all agentive IDEs: Update your implementation of Agent Skills to allow folders containing collections of skills (e.g. ~/.myIDE/skills/GROUP1/skill1). This wold allow developers to git clone repositories of skills and "subscribe" to a feed of multiple.

Once you've defined a flow, securely exposing it over HTTP is straightforward. Genkit handles JSON serialization, and streaming flows automatically use Server-Sent Events.

Google now provides GCP credits in your AI Pro and Ultra subscriptions AI Pro members get $10 monthly AI Ultra members get $100 monthly

Check out Genkit Go 1.0, the open-source AI framework for @golang. Build scalable, production ready AI apps with the CLI and interactive developer UI. developers.googleblog.com/en/announcing-…

Agents could use some more fine tuning with their YOLO/always allow modes. E.g. I'll never say "always allow" "git" or "npx", but I'd be quite comfortable always allowing "git diff" or "npx mocha".

📣 Genkit JS 1.17.0 is here! See the release notes → goo.gle/4n3HDby This release includes out-of-the-box support for Nano Banana and a new Genkit CLI command: genkit init:ai-tools. 🍌🪄 If you're using a coding agent like Firebase Studio, Gemini CLI, Claude Code, or Cursor, this command helps you configure the agent's rules and context. It can also install Genkit's MCP server to help the agent produce the best possible Genkit code. Learn more here → goo.gle/41m8PK4

Yesterday, we introduced Cloud Run worker pools, designed for continuous background processing , ideal for pull-based workloads. Today, we are introducing an open source autoscaler for Kafka consumers.

Hey @Hyundai, my GPS has been on the fritz for months since the last nav update. I finally got to a dealership (San Leandro, CA) and they said it can’t be fixed because your update was infected with malware and there is no timeline for a fix. Is this actually true? Big news if so!

Looks like @juliareid22 and my talk for I/O is live now! Learn more about #Firebase App Hosting, including an e2e demo e-commerce app built on Auth, Data Connect, Genkit, Gemini, Memorystore, and (of course) App Hosting 🔗👇

@lacker Buy borrow die lets you never pay taxes and then irrevocable trusts and/or resetting cap gains on inheritance keeps the game going

@inlined there essentially already are wealth taxes because inflation + cap gains on nominal cost basis = wealth tax

Fix for the “wealth tax is like shaving down a bar of gold” argument: every two years after acquiring a security, your cost basis adjusts 30% towards the current market price even if you hold. You can pay taxes or take losses on the change.