[2602.00750] Bypassing Prompt Injection Detectors through Evasive Injections

Computer Science > Cryptography and Security arXiv:2602.00750 (cs) [Submitted on 31 Jan 2026 (v1), last revised 1 Apr 2026 (this version, v2)] Title:Bypassing Prompt Injection Detectors through Evasive Injections Authors:Md Jahedur Rahman, Ihsen Alouani View a PDF of the paper titled Bypassing Prompt Injection Detectors through Evasive Injections, by Md Jahedur Rahman and 1 other authors View PDF HTML (experimental) Abstract:Large language models (LLMs) are increasingly used in interactive and retrieval-augmented systems, but they remain vulnerable to prompt injection attacks, where injected secondary prompts force the model to deviate from the user's instructions to execute a potentially malicious task defined by the adversary. Recent work shows that ML models trained on activation shifts from LLMs' hidden layers can detect such drift. In this paper, we demonstrate that these detectors are not robust to adaptive adversaries. We propose a multi-probe evasion attack that appends an adversarially optimised suffix to poisoned inputs, jointly optimising a universal suffix to simultaneously fool all layer-wise drift detectors while preserving the effectiveness of the underlying injection. Using a modified Greedy Coordinate Gradient (GCG) approach, we generate universal suffixes that make prompt injections consistently evasive across multiple probes simultaneously. On Phi-3 3.8B and Llama-3 8B, a single suffix achieves attack success rates of 93.91% and 99.63% in successfully ev...