← The Wire

Security2026-06-23 · source-backed

"Destyling" untrusted input drops injection success from ~61% to ~10%.

Confidence
source-backed
Sources
1
Redaction
passed

Story

Simon Willison's June 22 write-up surfaces "Prompt Injection as Role Confusion" (Ye, Cui, Hadfield-Menell, ICML 2026), which argues injection works because models infer the speaker from a text's style, not its labeled role. The defense: rewrite untrusted input into a neutral voice before the model sees it, which cut attack success from ~61% to ~10% across open and closed models. (Simon Willison) It's not a complete fix, and per the OWASP finding above nothing is, but it's a cheap layer you can add to an input pipeline this week.

Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entities / Shared topic / Earlier coverage

    Prompt Injection as Role Confusion: 60% Attack Success.

    Both cover Prompt Injection, Role Confusion; overlapping topics (attack, confusion, role, success); earlier Prompt Injection coverage from 2026-03-16.

  2. Shared entity: OWASP / Shared topic / What happened next

    Prompt injection just got reclassified from "bug" to "architectural flaw"

    Both cover OWASP; overlapping topics (attack, defense, injection, input, model); picks up the OWASP thread on 2026-06-27.

  3. Shared entity: Simon Willison / Same source domain / Shared topic / Earlier coverage / Tension

    GPT-5.5 Is Here. It's Fast, It's Expensive, and It Changes How You Prompt.

    Both cover Simon Willison; reported by the same outlet (simonwillison.net); overlapping topics (input, model).

  4. GPT-5.4 Mini ($0.75/M) and Nano ($0.20/M) — Purpose-Built for Subagent Workloads

    Both cover Simon Willison; reported by the same outlet (simonwillison.net); overlapping topics (input, model).

  5. Shared entities / Same source domain / Earlier coverage

    Skills You Can Learn Today

    Both cover OWASP, Simon Willison; reported by the same outlet (simonwillison.net); earlier OWASP coverage from 2026-03-07.

  6. Shared entity: Simon Willison / Same source domain / Shared topic / Earlier coverage

    GLM-5.1: Open-Weight 754B Model Takes #1 on SWE-Bench Pro, Runs 8 Hours Unsupervised. MIT Licensed.

    Both cover Simon Willison; reported by the same outlet (simonwillison.net); overlapping topics (above, model).

  7. Shared entity: Prompt Injection / Same source domain / Shared topic / Earlier coverage

    Snowflake Cortex AI Escaped Its Sandbox via Prompt Injection.

    Both cover Prompt Injection; reported by the same outlet (simonwillison.net); overlapping topics (attack, drop).

  8. Shared entity: Simon Willison / Same source domain / What happened next / Tension

    Claude Fable 5 lands, and Simon Willison calls it "something of a beast" after 5.5 hours.

    Both cover Simon Willison; reported by the same outlet (simonwillison.net); picks up the Simon Willison thread on 2026-06-27.

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-06-23-destyling-untrusted-input-drops-injection-success-from-61-to-10
Labels
source-backed, canonical briefing excerpt