On November 25, 2025, Cato Networks announced HashJack, a new cybersecurity threat that exploits how AI browser assistants read URLs. The technique involves hiding malicious commands within the URL fragment, which is the part following the pound sign (#). This allows attackers to manipulate AI assistants like Google’s Gemini, Microsoft’s Copilot, and Perplexity’s Comet by embedding instructions in content that the AI will process later. Because AI assistants typically trust the URLs from legitimate sites, users may unknowingly follow harmful advice. The implications of HashJack are serious. The hidden commands can lead to credential theft, false medical advice, and data exfiltration. In advanced modes, AI assistants can be instructed to perform dangerous tasks automatically, such as downloading malicious software or revealing sensitive information. Cato Networks reported that some AI browsers, like Comet, could escalate the attack to automatically send user data to an external address. Cato disclosed these findings to major tech companies starting in mid-2025. Microsoft and Perplexity acted swiftly, implementing fixes for their browsers by late October and mid-November, respectively. Google, however, has not addressed the issue for Gemini in Chrome, marking it as "Won't Fix (Intended Behaviour)" with a low severity rating. This response highlights a significant gap in AI security, as the ability to hide commands in URL fragments could bypass traditional security measures. The research emphasizes the need for urgent fixes in AI design to mitigate risks associated with context manipulation.