Notice: The reproducibility variables underlying each score are classified using an automated LLM-based pipeline, validated against a manually labeled dataset. LLM-based classification introduces uncertainty and potential bias; scores should be interpreted as estimates. Full accuracy metrics and methodology are described in Coakley et alK. L. Coakley, T. Snelleman, H. Hoos, and O. E. Gundersen, "The embrace of open science: An analysis of a decade of AI research and 56 800 conference papers," Under Review, 2026..
MIP against Agent: Malicious Image Patches Hijacking Multimodal OS Agents
Authors: Lukas Aichberger, Alasdair Paren, Guohao Li, Philip H.S. Torr, Yarin Gal, Adel Bibi
NeurIPS 2025 | Venue PDF | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | In this section, we systematically evaluate the effectiveness of MIPs in manipulating OS agents. |
| Researcher Affiliation | Academia | Lukas Aichberger 1,2 Alasdair Paren 2 Guohao Li 2 Philip Torr 2 Yarin Gal 2 Adel Bibi 2 1 Johannes Kepler University Linz, Austria 2 University of Oxford, United Kingdom |
| Pseudocode | No | The paper describes the method for crafting MIPs and the optimization process (Objective 2) but does not include a clearly labeled pseudocode or algorithm block for the core methodology. Section 3.2 formulates the adversarial attack and its optimization, but without a dedicated pseudocode block. |
| Open Source Code | Yes | The code and data are available at https://github.com/AIchberger/mip-against-agent. |
| Open Datasets | Yes | The code and data are available at https://github.com/AIchberger/mip-against-agent. |
| Dataset Splits | Yes | Regarding the choices of user prompts, we randomly sample two disjoint sets of 12 benign tasks, one per WAA domain: p P+ P used to optimise MIPs, and p P P reserved for evaluating them, as detailed in Tab. 5 of App. A.8. Regarding the choices of the screenshots, we similarly create two disjoint sets of 12 images for each of the two settings. In general, we refer to s S+ S as screenshots for optimising and s S S as screenshots for evaluating MIPs. |
| Hardware Specification | Yes | All experiments were performed on a single node with 8 NVIDIA A100 Tensor Core GPUs. |
| Software Dependencies | No | The paper mentions specific models and tools used (e.g., Llama 3.2 Vision model series, Omni Parser, Grounding DINO, Tesseract OCR, Microsoft Windows Agent Arena) and an optimizer (Adam), but does not provide specific version numbers for ancillary software dependencies such as Python, PyTorch, or CUDA versions. |
| Experiment Setup | Yes | To optimise MIPs for all our experiments, we use the Adam optimiser [27] with parameters β1 = β2 = 0.9 and a learning rate of 10-2. |