Indirect Prompt Injection and AI Agent Abuse Expands Real-World Attack Surface
Security researchers and industry reporting describe prompt injection—especially web-based indirect prompt injection (IDPI)—as an increasingly practical technique for compromising or manipulating LLM-powered agents embedded in browsers and automated content pipelines. Palo Alto Networks Unit 42 reported in-the-wild IDPI activity where malicious instructions are hidden in web content that an agent later ingests, with observed objectives including AI-based ad review evasion and SEO manipulation that promotes phishing infrastructure. Separately, Zenity Labs detailed a now-patched issue in Perplexity’s Comet AI browser where attackers could embed instructions in a calendar invite to coerce the agent into accessing file:// resources and potentially pivoting into sensitive data such as an unlocked 1Password extension vault, illustrating how agentic tooling can bypass traditional browser-origin assumptions.
Threat reporting also shows adversaries operationalizing AI to scale exploitation. Team Cymru linked an AI-assisted Fortinet FortiGate targeting campaign (previously reported by Amazon Threat Intelligence as compromising 600+ devices across 55 countries using services like Claude and DeepSeek) to use of CyberStrikeAI, an open-source Go-based platform that integrates 100+ security tools and was observed from multiple IPs (primarily hosted in China/Singapore/Hong Kong, with additional infrastructure elsewhere). Multiple commentaries and briefings emphasize that conventional “filter the prompt” defenses are insufficient because LLMs lack a native separation between instructions and data; they call for defense-in-depth around AI pipelines, including least-privilege agent permissions, auditable tool use, and stronger identity/workload controls as agent deployments multiply. Several items in the set are unrelated (geopolitical cyber activity, workforce/culture pieces, jobs, and product/market commentary) and do not materially inform the prompt-injection/agent-abuse story.
Related Entities
Malware
Sources
5 more from sources like help net security, dark reading, insinuator and scworld
Related Stories
Indirect Prompt Injection and Prompt Manipulation Risks in AI Agents
Threat researchers and security experts reported that **indirect prompt injection (IDPI)** is being actively used in the wild to manipulate AI agents by embedding hidden instructions in otherwise normal-looking web content (e.g., HTML, metadata, comments, or invisible text). Reported impacts include coercing agents into leaking sensitive data, executing unauthorized actions (including server-side commands), and manipulating downstream systems such as **AI-based ad review** and search ranking workflows (e.g., SEO poisoning and phishing promotion), indicating the technique has moved from theoretical to operational abuse. Separate testing of a healthcare AI used in a prescription-management context showed how **prompt injection** can bypass safeguards to reveal system prompts, generate harmful content, and—via persistence mechanisms such as **SOAP notes**—introduce longer-lived manipulations that could influence clinical outputs (e.g., altering suggested dosages) before human approval. Other items in the set were primarily business/consumer AI commentary (data-management investment surveys, bot-ecosystem interview, and general “dark side of AI” discussion) and did not materially add incident-level or technical detail about prompt-injection exploitation beyond broad risk framing.
1 weeks ago
Prompt Injection Risks in Agentic AI and AI-Powered Browsers
Security researchers reported that **prompt injection** is enabling practical attacks against *agentic AI* systems that have access to tools and user data, and argued the industry is underestimating the threat. A proposed framing, **“promptware,”** describes malicious prompts as a malware-like execution mechanism that can drive an LLM to take actions via its connected tools—potentially leading to **data exfiltration**, cross-system propagation, IoT manipulation, or even **arbitrary code execution**, depending on the permissions and integrations available. Trail of Bits disclosed results from an adversarial security assessment of Perplexity’s *Comet* browser, showing how prompt injection techniques could be used to **extract private information from authenticated sessions (e.g., Gmail)** by abusing the browser’s AI assistant and its tool access (such as reading page content, using browsing history, and interacting with the browser). Their threat-model-driven testing emphasized that agentic assistants can treat external web content as instructions unless it is explicitly handled as **untrusted input**, and they published recommendations intended to reduce prompt-injection-driven data paths between the user’s local trust zone (profiles/cookies/history) and vendor-hosted agent/chat services.
3 weeks ago
Prompt Injection Attacks Abuse AI Agent Memory and Link Previews for Manipulation and Data Exfiltration
Security researchers reported multiple **prompt-injection-driven attack paths** that exploit how AI assistants and agentic systems process untrusted content. Microsoft researchers described **AI recommendation/memory poisoning** (mapped in MITRE ATLAS as **`AML.T0080: Memory Poisoning`**) in which attackers insert instructions that cause an assistant to persistently “remember” certain companies, sites, or services as trusted or preferred, shaping future recommendations in later, unrelated conversations. Observed activity over a 60-day period included **50 distinct prompt samples** tied to **31 organizations across 14 industries**, with potential downstream impact in high-stakes domains like health, finance, and security where manipulated recommendations can mislead users without obvious signs of tampering. A separate finding highlighted how **AI agents embedded in messaging apps** can be coerced into leaking secrets via **malicious link previews**. PromptArmor demonstrated that an attacker can use chat-based prompt injection to trick an AI agent into generating an attacker-controlled URL that includes sensitive data (e.g., API keys) as parameters; when messaging platforms (e.g., Slack/Telegram) automatically fetch **link preview** metadata, the preview request can become a **zero-click exfiltration channel**—no user needs to click the link for the data-bearing request to be sent. Together, the reports underscore that agent features intended to improve usability—*persistent memory*, URL-based prompt prepopulation (e.g., “Summarize with AI” buttons), and automatic preview fetching—can be repurposed into scalable manipulation and data-loss mechanisms when untrusted prompts are processed implicitly.
1 months ago