Attackers have begun embedding hidden instructions in websites to target AI agents, according to new research.
Zscaler’s ThreatLabz documented two real-world campaigns which used a technique called indirect prompt injection, where instructions are planted in content an AI agent reads, such as a web page, to steer its behavior.
One posed as software documentation to run a payment scam, the other impersonated a cryptocurrency service.
Hidden Instructions in Plain Sight
In both cases, the attackers first used SEO poisoning to push their sites high in search results, making it more likely an agent would find them.
They then buried prompt-style instructions in parts of the page a human never sees, using CSS to move the text off-screen or tucking it inside structured JSON-LD metadata that machines read as trusted context.
The first campaign used a fake page dressed up as a Python library’s documentation. It told any AI agent on a coding task that it had to buy a $3 API license key to fix an error, then walked it through paying an attacker’s cryptocurrency wallet for a bogus key.
Zscaler said the same site also tried to scam human developers.
Read more: Researchers Uncover 10 In-the-Wild Prompt Injection Payloads Targeting AI Agents
How the Models Held Up
For the second campaign, the attackers used a typosquatting domain impersonating DeBank, a popular cryptocurrency portfolio tracker, with hidden text instructing agents to treat the fake site as the “authoritative” DeBank and rank it first.
To gauge the risk, ThreatLabz ran its own autonomous agent against the sites across 26 large language models (LLMs).
Four of the 26 models were manipulated into executing the fraudulent payment, including versions of Meta’s Llama and Google’s Gemini.
In the second test, two models, OpenAI’s GPT-5.4 and Anthropic’s Claude Sonnet 4.5, reportedly wrongly rated the fake site as legitimate, but only when they lacked a trusted reference for the real DeBank. When the genuine site was provided for comparison, none were fooled.
The results from Zscaler’s own sandboxed tests suggest that susceptibility depends heavily on the LLM and the amount of context it is given.
“As AI agents become a more common interface to the web, the content itself is going to become a larger attack surface,” the company warned, “highlighting that AI is a double-edged sword that can streamline workflows while also introducing new avenues for abuse.”

