Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

New Iran-Nexus Hacking Group Targets Israel Government and IT Sectors

July 6, 2026

Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses

July 6, 2026

Indirect Prompt Injection in Web Content Targets AI Agents

July 6, 2026
Facebook X (Twitter) Instagram
Monday, July 6
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»Cyber Security»Indirect Prompt Injection in Web Content Targets AI Agents
Cyber Security

Indirect Prompt Injection in Web Content Targets AI Agents

Team-CWDBy Team-CWDJuly 6, 2026No Comments2 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Attackers have begun embedding hidden instructions in websites to target AI agents, according to new research.

Zscaler’s ThreatLabz documented two real-world campaigns which used a technique called indirect prompt injection, where instructions are planted in content an AI agent reads, such as a web page, to steer its behavior.

One posed as software documentation to run a payment scam, the other impersonated a cryptocurrency service.

Hidden Instructions in Plain Sight

In both cases, the attackers first used SEO poisoning to push their sites high in search results, making it more likely an agent would find them.

They then buried prompt-style instructions in parts of the page a human never sees, using CSS to move the text off-screen or tucking it inside structured JSON-LD metadata that machines read as trusted context.

The first campaign used a fake page dressed up as a Python library’s documentation. It told any AI agent on a coding task that it had to buy a $3 API license key to fix an error, then walked it through paying an attacker’s cryptocurrency wallet for a bogus key.

Zscaler said the same site also tried to scam human developers.

Read more: Researchers Uncover 10 In-the-Wild Prompt Injection Payloads Targeting AI Agents

How the Models Held Up

For the second campaign, the attackers used a typosquatting domain impersonating DeBank, a popular cryptocurrency portfolio tracker, with hidden text instructing agents to treat the fake site as the “authoritative” DeBank and rank it first.

To gauge the risk, ThreatLabz ran its own autonomous agent against the sites across 26 large language models (LLMs).

Four of the 26 models were manipulated into executing the fraudulent payment, including versions of Meta’s Llama and Google’s Gemini.

In the second test, two models, OpenAI’s GPT-5.4 and Anthropic’s Claude Sonnet 4.5, reportedly wrongly rated the fake site as legitimate, but only when they lacked a trusted reference for the real DeBank. When the genuine site was provided for comparison, none were fooled.

The results from Zscaler’s own sandboxed tests suggest that susceptibility depends heavily on the LLM and the amount of context it is given.

“As AI agents become a more common interface to the web, the content itself is going to become a larger attack surface,” the company warned, “highlighting that AI is a double-edged sword that can streamline workflows while also introducing new avenues for abuse.”



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleResearchers Claim First Fully Agentic Ransomware: JadePuffer
Next Article Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses
Team-CWD
  • Website

Related Posts

Cyber Security

AI is Already Powering Cyber-Attacks. Can it Power Cyber Defense?

July 3, 2026
Cyber Security

Ethical AI Is an Operational Discipline, not a Philosophy

June 30, 2026
Cyber Security

The Security Coverage Gap is a Math Problem

June 26, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

What if your romantic AI chatbot can’t keep a secret?

November 18, 2025

When ‘hacking’ your game becomes a security risk

October 17, 2025

Mobile app permissions (still) matter more than you may think

February 27, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.