Malicious web pages are hijacking AI agents, some of whom are stalking your PayPal account

Attackers are quietly booby-trapping web pages with invisible instructions designed for AI agents, not human readers. According to Google’s security team, the problem is growing rapidly.

In a published report April 23Google researchers Thomas Bruner, Yu-Han Liu, and Money Pandey scanned the 2 to 3 billion web pages crawled monthly for indirect instant injection attacks — hidden commands embedded in websites that wait for an AI agent to read them and then follow the commands. They found a 32% jump in malignant cases between November 2025 and February 2026.

Attackers embed instructions into a web page in ways that are invisible to humans: shrinking text to a single pixel, draining text to near transparency, hiding content in HTML comment sections, or commands buried in the page’s metadata. AI reads full HTML. Man sees nothing.

Most of what Google found was low-quality, such as pranks, search engine manipulation, and attempts to prevent AI agents from summarizing content. For example, there were some prompts that tried to tell the AI ​​to “chirp like a bird.”

But serious cases are a different story. One case asked LLM to return a user’s IP address along with their passwords. Another case attempted to manipulate the AI ​​into executing a command that formatted the AI ​​users’ device.

But other cases are considered borderline criminal.

Researchers at cybersecurity firm Forcepoint published a report almost simultaneously, And I found it Payloads that went further. One included a fully specified PayPal transaction with step-by-step instructions targeting AI agents with integrated payment capabilities, also using the popular “ignore all previous instructions” jailbreaking technique.

The second attack used a technique called “meta tag namespace injection” combined with a persuasion amplifier keyword to direct AI-mediated payments toward a Stripe donation link. The third goal appears designed to scout AI systems that are already vulnerable, i.e. reconnaissance before a larger strike occurs.

This is the essence of enterprise risk. An AI agent with legitimate payment credentials, executing a transaction it reads from a website, produces logs that appear identical to normal transactions. There is no anomalous login. No brute force. The agent did exactly what he was authorized to do, he just received his instructions from the wrong source.

The CopyPasta attack has been documented Last September Show how fast injection can spread across developer tools by hiding inside “readme” files. The financial variant is the same concept applied to money rather than code, with a much higher impact for each successful outcome.

As Forcepoint explains, browser AI that can only summarize content is low-risk. Agent AI that can send emails, execute terminal commands, or process payments is an entirely different class of targets. The attack surface is expanding dramatically.

Neither Google nor Forcepoint found evidence of complex, coordinated campaigns. Forcepoint notes that injection templates shared across multiple domains “suggest structured tools rather than siled experiments” — meaning someone is building infrastructure for this, even if they haven’t fully deployed it yet.

But Google was more direct: The research team said it expects the size and complexity of indirect rapid injection attacks to grow in the near future. Forcepoint researchers warn that the window of opportunity to overcome this threat is closing quickly.

The question of responsibility is one that no one has answered. When an AI agent with company-verified credentials reads a malicious web page and initiates a fraudulent PayPal transfer, who’s on the hook? The institution that published the agent? Model provider whose system followed the injected instructions? The site owner who hosted the payload, whether knowingly or not? There is currently no legal framework covering this matter. This is a gray area although the scenario is no longer theoretical, as Google found the payloads last February.

The Global Open Application Security Project classifies instantaneous injection as LLM01:2025– The most critical vulnerability category in AI applications. The FBI traced approx 900 million dollars in AI-related fraud losses in 2025, the first year the category has been recorded separately. Google’s findings suggest that more targeted financial attacks tailored to proxies are just beginning.

The 32% increase measured between November 2025 and February 2026 covers static public web pages only. Social media, login-protected content, and dynamic sites were out of scope. The actual infection rate across the entire web is likely higher.