Google’s security team has highlighted a burgeoning issue: attackers are surreptitiously embedding hidden commands on web pages, specifically targeting AI agents instead of human users. This threat has been growing rapidly, as evidenced in a report from April 23 by Google researchers Thomas Brunner, Yu-Han Liu, and Moni Pande. The team analyzed 2-3 billion crawled web pages monthly to identify indirect prompt injection attacks—commands embedded within websites that are invisible to humans but await execution by AI agents. They noted a significant increase of 32% in malicious activities between November 2025 and February 2026.
Attackers ingeniously hide these instructions in formats such as text reduced to a single pixel, near-invisible transparency levels, HTML comments, or within page metadata—rendering them invisible to human eyes while the AI processes the entire HTML. While most discovered instances were minor pranks or attempts at search engine manipulation, some posed serious threats. For instance, certain commands sought to reveal user IP addresses and passwords. Another aimed to coerce an AI into executing potentially damaging terminal commands.
Simultaneously, cybersecurity firm Forcepoint released a report revealing more alarming attacks. One embedded PayPal transaction details, exploiting the ‘ignore all previous instructions’ method for commandeering AI agents with payment capabilities. Another attack utilized “meta tag namespace injection” coupled with persuasive keywords to divert AI-driven payments to a Stripe donation link. A third instance aimed at identifying vulnerable AI systems, setting the stage for larger assaults.
The primary risk lies in legitimate-looking logs generated by an AI agent executing transactions from malicious instructions on a website—these operations appear normal without any signs of unauthorized access or brute force attacks. This concept mirrors last September’s CopyPasta attack, where prompt injections infiltrated developer tools through “readme” files. The financial variant represents the same strategy applied to monetary transfers.
The risk escalates significantly with AI agents capable of sending emails, running terminal commands, or processing payments. Although neither Google nor Forcepoint found evidence of widespread coordinated campaigns, shared injection templates across domains suggest organized efforts are underway. Google anticipates a rise in both scale and sophistication of these attacks soon.
A critical unresolved issue is liability: when an AI agent initiates fraudulent transactions based on malicious web instructions, who bears responsibility? Options range from the deploying enterprise to the model provider or even the website owner hosting the malicious content. No legal framework currently addresses this gray area, despite Google’s real-world findings in February.
The Open Worldwide Application Security Project rates prompt injection as LLM01:2025—the most critical vulnerability class in AI applications. The FBI reported nearly $900 million in AI-related scam losses for 2025, marking its first year tracking the category separately. Google’s research indicates that targeted financial attacks on AI agents are just beginning, with a noted 32% increase only among static public web pages. Dynamic sites and login-protected content remain unexplored, suggesting the true scope of this threat may be even larger.