Indirect Prompt Injection in Web Content Targets AI Agents
Essential information
- Published
- 02/07/2026 22:39
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- ai agents cryptocurrency scam indirect prompt injection ipi llm manipulation payment fraud seo poisoning typosquatting
- Related entities
- 11 indicators, 11 observables, 16 techniques (mitre)
Description
AI agents are increasingly vulnerable to indirect prompt injection (IPI) attacks, where malicious instructions are embedded in web content to manipulate AI-driven workflows. Two campaigns were identified that combine SEO poisoning with CSS/HTML abuse to influence AI decision-making. The first campaign uses fake API documentation to trick AI agents into making fraudulent payments for a fake Python library, incorporating hidden instructions in JSON-LD and CSS-concealed content directing payment of $3.00 via Stripe or approximately 0.0012 ETH to attacker wallets. The second campaign employs typosquatting to impersonate DeBank, a cryptocurrency portfolio tracker, embedding hidden prompts to make the fraudulent site appear as an authoritative source. Testing across 26 LLMs revealed 4 models were vulnerable to the payment scam and 2 models misclassified the typosquatting site, demonstrating measurable real-world impact.