Indirect prompt-injection web campaigns targeting AI agents
Campaign
Summary
Hide ▲
Show ▼
Two real-world campaigns are using indirect prompt injection and SEO poisoning to steer AI agents into fraudulent actions and false legitimacy judgments. The lures included a fake Python documentation page pushing a $3 API license key scam and a site impersonating DeBank. The activity turns ordinary web content into an attack surface for agent-driven browsing and payment workflows.
Related Happenings
Bayer reworks awareness training and AI access controls against AI-driven social engineering
Defensive Guidance
H score10
First: 02.06.2026 16:45
Last: 02.06.2026 16:45
Sources 1
About this happening:
Bayer has shifted to **psychology-first security awareness** and **tiered AI access controls** to blunt **AI-generated social engineering** across employees and suppliers. The pro...
Bayer reworks awareness training and AI access controls against AI-driven social engineering
Defensive GuidanceAbout this happening: Bayer has shifted to **psychology-first security awareness** and **tiered AI access controls** to blunt **AI-generated social engineering** across employees and suppliers. The pro...
Indirect prompt injection payloads against AI agents reveal fraud, deletion, and secret-theft paths
Technical Analysis
H score20
First: 23.04.2026 12:30
Last: 23.04.2026 12:30
Sources 1
About this happening:
**10** new **indirect prompt injection (IPI)** payloads show how web content poisoning can coerce **AI agents** into **financial fraud**, **data destruction**, and **API key theft...
Indirect prompt injection payloads against AI agents reveal fraud, deletion, and secret-theft paths
Technical AnalysisAbout this happening: **10** new **indirect prompt injection (IPI)** payloads show how web content poisoning can coerce **AI agents** into **financial fraud**, **data destruction**, and **API key theft...
Underground sellers-fraud-oriented sellers alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score31
First: 25.03.2026 16:02
Last: 25.03.2026 16:02
Sources 1
About this happening:
A growing underground market for **premium AI platform access** is turning **ChatGPT**, **Claude**, **Microsoft Copilot**, and **Perplexity** access into a tradable black-market c...
Underground sellers-fraud-oriented sellers alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: A growing underground market for **premium AI platform access** is turning **ChatGPT**, **Claude**, **Microsoft Copilot**, and **Perplexity** access into a tradable black-market c...
Perplexity Comet prompt-injection research shows agentic browsers can be trained into phishing traps
Technical Analysis
H score25
First: 11.03.2026 18:38
Last: 11.03.2026 18:38
Sources 1
About this happening:
**Perplexity's Comet AI browser** is the focus of a **technical analysis** thread showing how **prompt injection** and **malicious URLs** can steer an agentic browser into **data...
Perplexity Comet prompt-injection research shows agentic browsers can be trained into phishing traps
Technical AnalysisAbout this happening: **Perplexity's Comet AI browser** is the focus of a **technical analysis** thread showing how **prompt injection** and **malicious URLs** can steer an agentic browser into **data...
Underground AI services emerge with jailbroken APIs and MCP servers
Threat Actor Meta
H score11
First: 12.02.2026 14:45
Last: 12.02.2026 14:45
Sources 1
About this happening:
**Underground AI services** are emerging on **marketplaces** with a model that hides **jailbroken commercial APIs** and **open-source MCP servers**, expanding access to **malware*...
Underground AI services emerge with jailbroken APIs and MCP servers
Threat Actor MetaAbout this happening: **Underground AI services** are emerging on **marketplaces** with a model that hides **jailbroken commercial APIs** and **open-source MCP servers**, expanding access to **malware*...
Timeline
-
06.07.2026 18:00 2 articles · 3d ago
Zscaler identifies hidden-instruction web campaigns targeting AI agents
Initial DisclosureZscaler ThreatLabz identified two real-world campaigns targeting AI agents through indirect prompt injection in web pages. One used a fake Python library documentation page that pushed a $3 API license key payment scam, and the other used a typosquatting domain impersonating DeBank; both campaigns relied on SEO poisoning and hidden instructions placed in off-screen CSS or JSON-LD metadata. In sandbox tests across 26 large language models, four models were manipulated into executing the fraudulent payment, and GPT-5.4 and Claude Sonnet 4.5 misrated the fake DeBank site as legitimate when no trusted reference for the real site was provided.
Show sources
- Indirect Prompt Injection in Web Content Targets AI Agents — www.infosecurity-magazine.com — 06.07.2026 18:00
- Indirect Prompt Injection in Web Content Targets AI Agents — www.infosecurity-magazine.com — 06.07.2026 18:00