More wide-ranging prompt injection! Not as fun as haunting baby but much more... terrifying might be the word?
In this case, adversarial attacks work on open-source models, which are then transferred to closed-source models where they often work just as well.