Indirect Prompt Injection (IPI) is a novel attack technique where adversarial instructions are hidden inside ordinary web content rather than being directly input by users. When AI agents crawl or summarize these poisoned web pages, they inadvertently execute these hidden instructions as legitimate commands. X-Labs researchers discovered 10 such IPI payloads deployed across multiple live domains, employing concealment methods like CSS invisibility, HTML comments, accessibility attribute abuse, meta namespace spoofing, and system prompt tag impersonation. The payloads facilitate attacks including financial fraud, terminal command execution, API key exfiltration, denial-of-service, content suppression, and traffic hijacking. The coordinated use of shared injection templates across domains suggests organized attacker tooling. This campaign specifically targets AI systems that perform web browsing and retrieval-augmented generation (RAG) indexing. No CVE or vendor patch information is available at this time.

The impact includes unauthorized financial transactions, execution of terminal commands, destruction or suppression of content, hijacking of network traffic, exfiltration of sensitive information such as API keys, and denial-of-service conditions. These consequences arise from AI agents executing malicious instructions embedded in web content they process. The threat affects AI systems that crawl or summarize web pages, potentially leading to significant operational and security risks for organizations relying on such AI capabilities. No confirmed active exploitation in the wild has been reported yet.

There is no official patch or vendor advisory available for this threat. Organizations using AI agents that crawl or summarize web content should be aware of the risk posed by indirect prompt injection. Mitigation may include restricting AI agents' access to untrusted or unverified web content, implementing content filtering or sanitization before AI ingestion, and monitoring AI behavior for anomalous commands or outputs. Since no official fixes exist, continuous monitoring of vendor advisories and security research updates is recommended to stay informed about potential mitigations or patches.