FigStep Image-List Multimodal Jailbreak Text Pattern - ATR-2026-00412 (aa6f0759-19b6-566c-903c-2543642bd0a6)
Detects the FigStep multimodal jailbreak text pattern from NVIDIA garak visual_jailbreak probe. FigStep presents an image containing a numbered list (1, 2, 3) where items are empty, then instructs the model to fill in "approximately 100 words" per item — the harmful instructions are embedded in the image. The text portion uses LLaMA-2 [INST]...[/INST] delimiters wrapping an image tag. Detectable from the text layer alone: [INST] + image tag + "items are empty" + "generate detailed content" + "approximately 100 words". Key signals: LLaMA [INST] format wrapping an image reference, numbered-list items-are-empty framing, 100-words-per-item completion instruction.