Beyond the PDF: Multimodal Indirect Prompt Injection Attacks in LLM-Based Peer Review

TL;DR: What if attackers hid malicious cues in images, tables, or supplemental files—not just text—to manipulate LLM reviewers? By designing and testing multimodal prompt injection attacks (e.g., steganographic images, LaTeX, or embedded data), we can see if LLMs are even more vulnerable than previously thought.

Research Question: How susceptible are LLM-based scientific reviewers to indirect prompt injection attacks delivered via non-textual or multimodal document elements?

Hypothesis: LLMs processing scientific manuscripts with embedded images, code snippets, or supplementary data are vulnerable to multimodal prompt injections, potentially at rates equal to or higher than text-only attacks.

Experiment Plan: Extend the dataset from Sahoo et al. (2025) with scientific papers containing adversarial content in figures, tables, LaTeX, and supplementary files. Develop and automate multimodal injection strategies (e.g., steganographic images, adversarial LaTeX commands). Evaluate these attacks across the same 13 LLMs and compare WAVS scores to text-only attacks. Analyze which modalities and LLM architectures are most susceptible.

References:

• Sahoo, D., Prasad, M., Majhi, V., Singh, J., Chamola, V., Sinha, Y., Mandal, M., & Kumar, D. (2025). When Reject Turns into Accept: Quantifying the Vulnerability of LLM-Based Scientific Reviewers to Indirect Prompt Injection.
• Choi, B., Joon, T., Jun, J., Won, S., Park, I., Lee, J., Cho, S. I., Park, H. J., Lee, R. W., & Suh, J. (2025). Invisible Text Injection: The Trojan Horse of AI-Assisted Medical Peer Review. medRxiv.