Zscaler’s ThreatLabz has documented two live campaigns using indirect prompt injection, a technique in which malicious instructions are planted in third-party content that an AI system reads during a task. Unlike a direct prompt attack, where a user types hostile instructions into a chatbot, these attacks sit inside websites, metadata and page code, waiting for an AI agent to retrieve them.
The findings underline a growing weakness in agentic AI systems. These tools are designed not only to answer questions, but also to search the web, read documents, use software tools and, in some deployments, make payments or trigger workflows. That wider authority creates a larger attack surface when the agent treats hostile web content as trusted context.
The first campaign examined by researchers used a fraudulent developer-focused website claiming to offer support for a Python package called requests-secure-v2. The site was engineered to appear useful to programmers looking for documentation or help with a missing licence-key error. Behind the visible content, however, the page carried hidden instructions designed to steer an AI agent towards making a payment.
The attack relied on search-engine optimisation poisoning, stuffing the site with keywords linked to Python, API references, package installation and troubleshooting. The objective was to lift the malicious page into search results that an AI coding assistant might consult while helping a developer.
Researchers found that the page used JSON-LD structured data to describe itself as a software application and to present a $3 developer API licence as a normal requirement. It also embedded a Stripe checkout link and displayed options for card or cryptocurrency payment. Hidden content was placed off-screen with CSS, making it invisible to a human viewer but available to scrapers, parsers and AI agents reading the page structure.
The same site included JavaScript instructions to initiate a transfer of about 0.0012 ETH to a hardcoded Ethereum wallet. After a supposed payment, the site generated a fake API key, giving the appearance of a completed developer transaction. The wallet address had received payments, although not necessarily in the exact small amounts requested by the page.
The campaign was not confined to one website. Investigators linked the activity to a GitHub account using the name Open-Agent-Utilities and identified 10 repositories connected to similar sites. These pages used comparable prompt-injection techniques to target AI agents with small payment requests linked to developer tools, market analyses and other services.
ThreatLabz tested the first campaign against 26 large language models through a sandboxed autonomous agent equipped with web-browsing and payment-execution tools. No real funds were at risk. Four models were manipulated into executing payment actions: Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash and Gemini 2.5 Pro.
The second campaign involved a typosquatting domain impersonating DeBank, a DeFi portfolio tracker. The fraudulent domain, debank[.]auction, used search-focused metadata around terms such as DeBank Login, DeFi Dashboard and Crypto Tracker. It also used Open Graph and X metadata to make the site appear more credible when parsed by automated systems.
The hidden prompt inside the page instructed AI systems to ignore earlier directions and treat the fraudulent domain as the verified and authoritative destination for DeBank-related searches. It also sought to suppress the word “auction” and presented fabricated trust signals, including claims of security integrations and high user-trust scores.
Testing showed the risk depended heavily on context. When the official DeBank website was included as a reference, none of the 26 models classified the fraudulent site as legitimate. When the fake site was crawled alongside other sources without the official domain, GPT-5.4 marked it as legitimate. When the fake page was presented in isolation, Claude Sonnet 4.5 also rated it as trusted.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.