Security Affairs
Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|
Advertisement

Ad Placeholder

Full Width × 90

Artificial Intelligence

Hidden Web Prompts Trick AI Agents Into Sending Money

Hidden prompts on malicious websites trick AI agents into making payments or trusting fake sites, exposing new risks for autonomous AI workflows. Zscaler ThreatLabz documented two active campaigns that embed hidden instructions in web pages to manipulate AI agents, not human users, though those get caught too. The technique is called indirect prompt injection: malicious […]

AI Agents

Hidden prompts on malicious websites trick AI agents into making payments or trusting fake sites, exposing new risks for autonomous AI workflows.

Zscaler ThreatLabz documented two active campaigns that embed hidden instructions in web pages to manipulate AI agents, not human users, though those get caught too. The technique is called indirect prompt injection: malicious text is hidden in a website’s code where a human browser won’t see it, but an AI agent crawling the page for information will read it and potentially act on it.

The first campaign targets AI coding assistants searching for a fake Python library called requests-secure-v2. The site looks like legitimate API documentation.

“ThreatLabz observed that the fraudulent website includes keyword-heavy HTML tied to the fake Python module to poison search results for package installation and dependency troubleshooting queries” reads the report published by ThreatLabz. “The website includes hidden IPI instructions designed to influence an AI agent’s decision-making by framing the payment as a routine step to acquire an API key. As a result, an AI agent attempting to complete a development task can be manipulated into sending funds to an attacker-controlled account.”

Once the agent lands on the page, it finds hidden instructions telling it to pay a $3.00 “developer API license fee” to unlock a MissingLicenseKeyException, framed as a routine setup step. The payment instructions are encoded in JSON-LD structured metadata, which AI agents tend to treat as higher-signal context than plain HTML, and a hidden div tag pushes the same message with CSS positioning it off-screen so no human ever sees it.

The site also contains JavaScript that initiates a transfer of roughly 0.0012 ETH to a hardcoded wallet address.

“The website does not only attempt to target AI agents, but also human developers.” continues the report. “When the website is rendered by a desktop browser, the same payment options via credit card or cryptocurrency are displayed to the user as shown in the figure below.”

The Ethereum wallet associated with the campaign has already received payments, and in amounts larger than $3.00, suggesting prior attacks using the same address. The threat actor behind this campaign has ten GitHub repositories linking to similar sites.

The second campaign is a typosquatting operation targeting DeBank, a widely used decentralized finance portfolio tracker. The fraudulent domain is debank[.]auction.

“The fraudulent website is optimized to rank for DeBank-related searches by stuffing the title and meta tags with keywords such as DeBank Login, DeFi Dashboard, and Crypto Tracker.” states ZScaler. ” It also includes Open Graph and X (formerly Twitter) metadata to make the link appear like an official DeBank service”

The JSON-LD on the page falsely identifies the legitimate debank.com as the publisher, while the hidden prompt instructs any AI agent reading the page to treat debank[.]auction as the verified, authoritative source, and to avoid mentioning the word “Auction.”

To measure real-world impact, Zscaler built a sandboxed autonomous AI agent with web browsing and payment tools, then tested it against both campaigns across 26 large language models. Four models, Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash, and Gemini 2.5 Pro, were successfully manipulated into executing the payment in campaign one. For campaign two, GPT-5.4 misclassified the fake site as legitimate when crawling it alongside other sources without a known-good reference, and Claude Sonnet 4.5 rated it as legitimate when given the fake site’s content in isolation with no other context provided. Context, it turns out, matters enormously: when the official DeBank domain was provided as a reference point, no model was fooled.

The practical implication is that AI agents need input validation at the content layer, not just at the prompt level. Anything an agent retrieves from the web should be treated as potentially adversarial. Organizations deploying agentic workflows should scope tool permissions carefully, an agent that can browse the web probably shouldn’t also have unrestricted payment execution enabled by default.

“ThreatLabz identified IPI embedded in multiple websites, where hidden instructions were designed to manipulate the behavior of an AI agent. In internal validation across 26 LLMs, 4 models failed to take appropriate actions for campaign 1 and 2 models failed to accurately classify the website in campaign 2, demonstrating measurable real-world impact and showing that susceptibility varies by model and by the context provided to the LLM alongside the prompt.” concludes the report. “As AI agents become a more common interface to the web, the content itself is going to become a larger attack surface, highlighting that AI is a double-edged sword that can streamline workflows while also introducing new avenues for abuse.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AI Agents)