{
  "name": "Indirect Prompt Injection in Web Content Targets AI Agents",
  "slug": "indirect-prompt-injection-in-web-content-targets-ai-agents",
  "description": "AI agents are increasingly vulnerable to indirect prompt injection (IPI) attacks, where malicious instructions are embedded in web content to manipulate AI-driven workflows. Two campaigns were identified that combine SEO poisoning with CSS/HTML abuse to influence AI decision-making. The first campaign uses fake API documentation to trick AI agents into making fraudulent payments for a fake Python library, incorporating hidden instructions in JSON-LD and CSS-concealed content directing payment of $3.00 via Stripe or approximately 0.0012 ETH to attacker wallets. The second campaign employs typosquatting to impersonate DeBank, a cryptocurrency portfolio tracker, embedding hidden prompts to make the fraudulent site appear as an authoritative source. Testing across 26 LLMs revealed 4 models were vulnerable to the payment scam and 2 models misclassified the typosquatting site, demonstrating measurable real-world impact.",
  "published": "2026-07-02T20:39:41.390000+00:00",
  "created_at": "2026-07-06T10:00:10.415000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-07-06T10:00:10.415000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "ai agents",
    "cryptocurrency scam",
    "indirect prompt injection",
    "ipi",
    "llm manipulation",
    "payment fraud",
    "seo poisoning",
    "typosquatting"
  ],
  "tags": [],
  "related_entities": {
    "indicators": [
      {
        "id": "2595ef44-c7ea-4bbd-a7a6-407bfadba865",
        "name": "identity-breach-response.org"
      },
      {
        "id": "1098fd6b-6dd4-4b04-b5e2-f622d6a068a9",
        "name": "runners-daily-blog.com"
      },
      {
        "id": "9ae2151c-af02-4130-9f0b-cb62a8fbc4cb",
        "name": "visual-media-rights-group.org"
      },
      {
        "id": "f5cf4b9d-dfab-4609-a583-1c64cc5de491",
        "name": "py-lib-repository.dev"
      },
      {
        "id": "ade6a5c1-d0b9-43f0-aea2-bc54cddefcfb",
        "name": "bistro-reserve-now.net"
      },
      {
        "id": "e20f5e08-c712-4b7c-b287-58c11120961e",
        "name": "edge-compliance-node.org"
      },
      {
        "id": "8680ebf7-d025-4c31-8c99-0247b0fa0d80",
        "name": "debank.auction"
      },
      {
        "id": "3c9601b0-bf76-4a95-b640-b6f5ee2a2d16",
        "name": "consensus-protocol-v4.org"
      },
      {
        "id": "686e0dcc-4e45-4ac0-9056-90cf6d5851c3",
        "name": "digital-asset-mart.org"
      },
      {
        "id": "fb42de40-339b-4198-b153-7eaff6708c35",
        "name": "market-insight-global.com"
      },
      {
        "id": "d2f29b64-0182-4b4d-8628-9efe9ff0c17d",
        "name": "permits.global-transit-authority.org"
      }
    ],
    "attack_patterns": [
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      },
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "ef72da1d-2eaa-4d94-8913-06978609cfb4",
        "name": "T1608.001"
      },
      {
        "id": "469ac6f1-45e1-4965-b1fa-0bb3e7def5ae",
        "name": "T1111"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "9594762e-9e74-466b-a460-3fd2a8aa7e10",
        "name": "T1608.005"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "fe6f2946-a01e-460c-9636-8c48b45dd0e6",
        "name": "T1189"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "1c9d3b0c-7ba8-40bc-be57-2c8e2495861d",
        "name": "T1204.003"
      },
      {
        "id": "d19f56ca-5ce8-4bd1-af90-7d83e394470c",
        "name": "T1583.001"
      },
      {
        "id": "e263a16c-ab5b-4196-8194-1906be1fabc4",
        "name": "T1056.003"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      }
    ],
    "observables": [
      {
        "id": "842259d7-c4d2-45f3-8cfd-6028b67f41fc",
        "name": "digital-asset-mart.org"
      },
      {
        "id": "a43f0d10-9022-4a1b-bdc4-c8b1d78939be",
        "name": "market-insight-global.com"
      },
      {
        "id": "69283723-074f-46d7-a834-692dbafc17fc",
        "name": "runners-daily-blog.com"
      },
      {
        "id": "3fd53fe4-cb79-4c3f-a85a-65b35d1d4407",
        "name": "visual-media-rights-group.org"
      },
      {
        "id": "64e46763-cc1f-443c-bb23-9b7513c76d83",
        "name": "bistro-reserve-now.net"
      },
      {
        "id": "f3f6b7d8-50e4-46de-9bd4-61f4bfc82b56",
        "name": "debank.auction"
      },
      {
        "id": "606ed9c6-cdd6-41c0-b4d9-600c38328a92",
        "name": "consensus-protocol-v4.org"
      },
      {
        "id": "b3a90d24-e9c3-416f-a685-2f0eb1119df3",
        "name": "edge-compliance-node.org"
      },
      {
        "id": "9f960a6b-ca3f-4e88-a93b-f6d4a0af3292",
        "name": "py-lib-repository.dev"
      },
      {
        "id": "07fdfc18-9678-464b-a8a3-929207c0328e",
        "name": "identity-breach-response.org"
      },
      {
        "id": "d23f5405-83b8-4eda-85ad-3546b098490d",
        "name": "permits.global-transit-authority.org"
      }
    ]
  },
  "external_refs": [
    {
      "id": "c8faf367-848b-4f7c-84f3-c399271101c6",
      "standard_id": "external-reference--0d9a6078-5252-5900-b949-cfc158092f85",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a46cc8d21232689c52266a2",
      "hash": null,
      "external_id": "6a46cc8d21232689c52266a2",
      "created": "2026-07-06T10:00:10.287Z",
      "modified": "2026-07-06T10:00:10.287Z",
      "createdById": null
    },
    {
      "id": "e51207cb-2b55-4241-b136-68db7c980c1b",
      "standard_id": "external-reference--8161d908-947d-5f6e-b906-ee66891da89f",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.zscaler.com/blogs/security-research/indirect-prompt-injection-web-content-targets-ai-agents",
      "hash": null,
      "external_id": null,
      "created": "2026-07-06T10:00:10.345Z",
      "modified": "2026-07-06T10:00:10.345Z",
      "createdById": null
    }
  ]
}