Google's analysis of indirect AI prompt injection attacks on public websites reveals a growing number of attempts to manipulate AI assistants via malicious prompts embedded in external data sources. These indirect injections differ from direct prompt injections by being hidden in content the AI consumes rather than direct user input. The research identified two main malicious categories: data exfiltration prompts instructing AI to collect and send sensitive information, and destructive prompts attempting to cause data loss. However, the sophistication of these attacks remains low, with no significant advanced exploitation observed. The study noted a 32% increase in malicious prompt injection attempts over a recent four-month period, signaling a maturing threat landscape. While many prompt injections are harmless or serve benign purposes, the upward trend suggests attackers may soon develop more complex and impactful methods.

The impact currently is limited due to the low sophistication of observed attacks. Some malicious prompt injections aim to exfiltrate sensitive data such as IP addresses and credentials or cause destructive actions like file deletion, but these attempts have not been observed at scale or with advanced techniques. Harmless or benign prompt injections are more common. The threat is primarily to AI systems that consume external data and could be manipulated to bypass security controls or leak information. The increasing frequency of attacks indicates a growing risk that may lead to more effective exploitation in the future.

No official patch or fix is applicable as this is a class of attacks targeting AI prompt processing rather than a software vulnerability. Organizations should monitor developments and apply AI usage policies that limit exposure to untrusted external data. Since the attacks are currently low sophistication and not widespread, no urgent remediation is required. Security teams should stay informed through vendor advisories and research updates, as the threat is expected to evolve. Defensive measures may include filtering or sanitizing external content consumed by AI systems and applying AI model updates that improve resistance to prompt injection.