When Cybernews security researchers tricked Lenovo’s chatbot ‘Lena’ into coughing up session cookies and happily executing malicious code, they revealed what may become the defining security problem of the AI age: machines that don’t just mishandle data, but actively weaponise their own outputs in obedience to an attacker’s request.
The headlines may call this a case of “XSS returning from the grave”. But that misses the bigger issue: AI has revived not just dormant vulnerabilities, but a whole class of threats we once thought the industry had left behind.
Rather than a simple revival of Cross-Site Scripting from the mid-2000s, Lena exemplifies a new paradigm: AI-generated attack vectors, carried out not through adversarial brilliance but through the model’s uncritical compliance.
AI Is creating ‘self-weaponising content’
Traditionally, an attacker writes malicious code and injects it into a vulnerable system. Here, the Lena chatbot was the author of the malicious payload. It crafted the code under the guise of serving the user.
That’s a subtle but dramatic shift. Attackers no longer need to hide their exploits inside obscure data fields or uploaded scripts. They can simply ask an AI system to produce the exploit for them. The LLM is now a collaborator in its own compromise.
This is the birth of what I’d call self-weaponising content: data generated by AI that doubles as its own intrusion vector, not because the AI is ‘evil’, but because it has no concept of safety.
This phenomenon might extend beyond chatbots – think AI agents writing emails with hidden payloads, or AI-generated documents containing embedded scripts delivered downstream to unsuspecting enterprise users.
We’re watching the return of the worm (With AI as the carrier)
The Lena attack chain resembled the early 2000s era of computer worms, where malicious code spread from one machine to another at network speed, with no human intervention required.
Here’s the parallel:
- Lena generated HTML + payloads
- That output compromised the user’s browser, and it persisted in the conversation history
- When a human support agent reopened it, the malicious code executed again, stealing their session cookies.
In other words, the AI acted like the worm’s first infected host. By politely answering questions, it also planted malicious instructions that could spread inside Lenovo’s systems.
Tomorrow, AI-powered help desks across industries may unwittingly serve as the launching pad for worm-like propagation inside businesses. The next big worm might not be delivered via email attachments – it might be co-authored by a ‘helpful’ AI tool in a support chat.
Regulatory and legal aftershocks are coming
Lenovo, a globally traded company, effectively shipped an insecure customer-facing AI tool that attackers could use to pivot deeper into its enterprise systems.
Regulators in the EU and Asia (where Lenovo operates heavily) are already circling AI deployments with upcoming legislation on AI liability.
Incidents like Lena’s blunder should be Exhibit A for lawmakers arguing that AI vulnerabilities are not just technical defects, but legal exposures. Imagine the lawsuits: “Our data was leaked not because of a bug, but because your AI actively generated and executed malicious instructions.”
This flips corporate AI from a “compliance question in the future” to a boardroom liability in the present.
Expect insurance premiums for companies deploying generative AI to rise, legal indemnities to become hotly debated contract clauses, and regulatory bodies to start mandating stricter AI ‘safety-by-design’ certification, much like how the auto industry faced crash test standards after decades of avoidable accidents.
It’s about companies being naïve
Lenovo’s flaw isn’t interesting because attackers were ingenious. It’s interesting because it was predictable. It arises from the fundamental property of LLMs: they will do what you ask. That’s not a bug. It’s their purpose.
Yet many corporations are rolling out chatbots as if they were static websites, forgetting that LLMs generate endlessly varied output that passes unchecked into browsers, logs, and even backend systems. This disconnect between how these systems behave and how companies treat them is going to be the security story of the decade.
Just as SQL injection taught the web development community the hard way in the 2000s, prompt injection and AI-assisted XSS will define enterprise security training in the mid-2020s.
What comes next?
Lena’s vulnerability was patched, but the pattern will not stop here.
Today it’s customer support session cookies. Tomorrow, it could be AI-generated SQL queries running against live databases, LLM-powered documentation tools seeding malicious shell commands into DevOps pipelines, or AI code assistants slipping poisoned dependencies into supply chains.
The AI revolution will carry with it the ghosts of older vulnerabilities but amplified, automated, and accelerated.
The big lesson for businesses is that they should stop treating AI outputs as information. Start treating them as code. Because once chatbots can write in HTML, JSON, or JavaScript, every interaction is a potential exploit. Lena’s eagerness to please was a warning of what’s to come.
About the author
Jurgita Lapienytė is editor-in-chief at Cybernews, where she leads a team of journalists and security experts dedicated to uncovering cyber threats through research, testing, and data-driven reporting.
