short
- The researchers found that AI agents powered by GPT-5 and Gemini were unable to resist rapid injection attacks.
- Direct attacks succeeded in more than 79% of cases, while stealth attacks embedded in web content often manipulated customer behavior.
- The findings suggest that instantaneous injection remains a broader security issue as AI agents become more prevalent.
As developers race to deploy AI agents capable of browsing the Internet, doing research, shopping online, and trading Cryptocurrency Independently, new research suggests that systems remain highly vulnerable to rapid injection attacks.
In new He studies Published Thursday, researchers from Nanyang Technological University, ST Engineering, IBM Research and the University of Illinois Urbana-Champaign found that none of the AI agents they tested consistently withstood fast injection attacks.
“Current security standards adopt an attack-centric perspective, focusing on the technical feasibility of injection while overlooking the precise distribution of resulting damage,” the researchers wrote. “However, in practice, the risks of immediate injection depend on the victim: a single exploit can lead to asymmetric consequences for different stakeholders, and the same attack pattern may exhibit vastly different effectiveness depending on who it targets.”
Immediate injection It occurs when attackers embed hidden instructions in content that… I have an agent Encounters, making them follow the attacker’s directions rather than the user’s directions. To address gaps in current AI agent evaluations, researchers developed StakeBench, a benchmark that tests how AI agents respond to rapid injection attacks in real-life online environments.
“We now use StakeBench to characterize the conditions under which this vulnerability is amplified or suppressed, focusing on indirect immediate injection as the primary channel relevant to deployment,” the researchers wrote. “StakeBench explores three such factors: the semantic distance between the injected target and the user’s original intent, the consistency of surrounding environmental cues, and the location along the agent’s execution path at which the benchmark first exposes it to the injected content.”
The team ran 3,168 attack simulations using NanoBrowser and BrowserUse with GPT-5 and Gemini 2.5-Flash. The researchers found that direct injection attacks were more than 79% successful in all configurations tested, and indirect attacks achieved success rates ranging from 41.67% to 68.16%.
This study comes at a time when injection attacks are becoming increasingly common and artificial intelligence agents are spreading.
In February, researchers from Microsoft to caution Hidden instructions embedded in AI summary links can influence the chatbot’s behavior. In April, Google Notarized Instant injection attacks hidden in web pages that attempted to manipulate AI agents into leaking credentials or sending payments. More recently, Microsoft It has been detected An immediate injection bug in Anthropic’s Claude Code GitHub Action that could have exposed user credentials.
The study also identified what the researchers called “stealth parasitism,” where an AI agent completes a user’s task while simultaneously furthering the attacker’s goal. For example, stealth intrusion caused by a flash injection attack can surreptitiously influence product recommendations, directing users toward a specific item without any obvious signs that the system is compromised.
“These results suggest that the security of real-time injection in deployable web agents is not a numerical property of the underlying model, but a distribution of damage whose realization is jointly determined by the affected stakeholders, the semantic fit between the injected target and the user’s task, and the architectural context in which the backbone is deployed,” they wrote.
Daily debriefing Newsletter
Start each day with the latest news, plus original features, podcasts, videos and more.
