Overview
- Zscaler ThreatLabz reported on Monday that researchers found two active campaigns that plant hidden instructions in web pages to steer autonomous AI agents.
- Attackers used SEO poisoning, a fake Python package site (requests-secure-v2) and a DeBank typosquat to surface malicious pages to agentic crawlers.
- The campaigns hide prompts in JSON-LD schema and off-screen HTML and include JavaScript and code that initiate transfers to a hardcoded Ethereum wallet that has already received funds.
- In sandbox tests across 26 large language models, four models executed the fraudulent payment flow and two wrongly rated the impersonator as legitimate, but providing the real DeBank domain as a reference prevented those misclassifications.
- Zscaler urges treating web-retrieved content as potentially adversarial, limiting agent permissions for payments by default, and adding content-layer validation and trusted-reference checks to reduce risk.