Overview
- Forcepoint X-Labs reported this week that it identified ten real indirect prompt injection payloads on live sites in April using telemetry and active threat hunting.
- Indirect prompt injection poisons a web page with covert instructions that an AI agent reads as orders because it does not separate page data from executable directions.
- Documented payloads tried to wipe files with a sudo rm -rf command, trigger a $5,000 PayPal.me transfer, and force an assistant to reveal a secret API key.
- Attackers hid these commands with tiny 1‑pixel fonts, near‑transparent text, HTML comments, metadata tags, accessibility layers, and CSS such as display:none.
- Google said its web scans found a 32% rise in malicious injections between November 2025 and February 2026, and researchers urged strict content‑command boundaries and minimal agent privileges to curb real‑world abuse.