Indirect Prompt Injection and AI Agent Abuse Expands Real-World Attack Surface
Security researchers and industry reporting describe prompt injection—especially web-based indirect prompt injection (IDPI)—as an increasingly practical technique for compromising or manipulating LLM-powered agents embedded in browsers and automated content pipelines. Palo Alto Networks Unit 42 reported in-the-wild IDPI activity where malicious instructions are hidden in web content that an agent later ingests, with observed objectives including AI-based ad review evasion and SEO manipulation that promotes phishing infrastructure. Separately, Zenity Labs detailed a now-patched issue in Perplexity’s Comet AI browser where attackers could embed instructions in a calendar invite to coerce the agent into accessing file:// resources and potentially pivoting into sensitive data such as an unlocked 1Password extension vault, illustrating how agentic tooling can bypass traditional browser-origin assumptions.
Threat reporting also shows adversaries operationalizing AI to scale exploitation. Team Cymru linked an AI-assisted Fortinet FortiGate targeting campaign (previously reported by Amazon Threat Intelligence as compromising 600+ devices across 55 countries using services like Claude and DeepSeek) to use of CyberStrikeAI, an open-source Go-based platform that integrates 100+ security tools and was observed from multiple IPs (primarily hosted in China/Singapore/Hong Kong, with additional infrastructure elsewhere). Multiple commentaries and briefings emphasize that conventional “filter the prompt” defenses are insufficient because LLMs lack a native separation between instructions and data; they call for defense-in-depth around AI pipelines, including least-privilege agent permissions, auditable tool use, and stronger identity/workload controls as agent deployments multiply. Several items in the set are unrelated (geopolitical cyber activity, workforce/culture pieces, jobs, and product/market commentary) and do not materially inform the prompt-injection/agent-abuse story.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
15 events from the most recent confirmed update back to the earliest known activity.
Team Cymru links CyberStrikeAI to global AI-driven FortiGate attacks
On March 3, 2026, Team Cymru reported that an AI-assisted campaign targeting Fortinet FortiGate appliances used the open-source CyberStrikeAI offensive platform. The activity was associated with automated mass scanning from 212.11.64[.]250 and attributed in reporting to a suspected Russian-speaking threat actor, while the tool's developer showed possible ties to Chinese state-linked entities.
Zenity publicly discloses Comet browser calendar invite exploit chain
On March 3, 2026, reporting detailed Zenity Labs' findings that Perplexity's Comet AI browser could be exploited through calendar invitations to access local files and potentially abuse an unlocked 1Password session. The disclosure also noted Perplexity's prior fixes and framed calendar entries as an underappreciated attack surface for AI agents.
Unit 42 reports indirect prompt injection is now observed in the wild
On March 3, 2026, Palo Alto Networks Unit 42 published research stating that web-based indirect prompt injection had moved from proof-of-concept to active real-world weaponization. The report documented additional detections involving SEO poisoning, unauthorized payment attempts, data exfiltration, and destructive commands, and recommended defense-in-depth mitigations.
AIUC-1 Consortium issues 2025 briefing on enterprise AI agent risks
A 2025 briefing cited on March 3, 2026 by the AIUC-1 Consortium, with input from Stanford's Trustworthy AI Research Lab and more than 40 security executives, identified autonomous overprivileged agents, shadow AI visibility gaps, and prompt injection trust failures as the dominant enterprise AI risk areas. It recommended technical controls such as tool-call validation, prompt-injection logging, containment testing, and continuous adversarial testing.
Samsung SDS publishes top enterprise cyber threats for 2026
On March 2, 2026, Samsung SDS published an assessment naming AI-based threats, ransomware, cloud security issues, phishing/account takeovers, and data security as the five most significant enterprise cybersecurity risks for 2026. The report recommended mitigations including least privilege for AI agents, hardened backups, CNAPP adoption, MFA, and stronger data access controls.
Amazon discloses AI-assisted compromise of 600+ FortiGate devices
Before March 2026, Amazon Threat Intelligence disclosed that an attacker used generative AI services including Anthropic Claude and DeepSeek to compromise more than 600 FortiGate devices across 55 countries. This disclosure established the scale of the FortiGate campaign later tied to CyberStrikeAI activity.
Perplexity issues second patch that closes Comet exploit vector
In February 2026, Perplexity released a subsequent patch that reportedly closed the specific Comet browser exploit path involving file:// access and calendar-invite-delivered indirect prompt injection.
1Password publishes advisory and adds hardening options
In late January 2026, 1Password issued an advisory related to the Comet browser research and introduced hardening options. The company noted the risk stemmed from an AI agent operating inside an already authenticated session rather than a flaw in 1Password's external security model.
CyberStrikeAI infrastructure observed in FortiGate attack activity
Between January 20 and February 26, 2026, Team Cymru observed 21 unique IP addresses running the open-source CyberStrikeAI platform, with infrastructure concentrated in China, Singapore, and Hong Kong. The tooling was linked to AI-assisted activity targeting Fortinet FortiGate devices.
Perplexity ships initial Comet fix for calendar invite attack path
In January 2026, Perplexity released an initial fix for the Comet browser issue involving indirect prompt injection via calendar invites. Zenity later found a way to bypass this first remediation.
Unit 42 detects indirect prompt injection against ad review system
In December 2025, Palo Alto Networks Unit 42 observed a real-world web-based indirect prompt injection attempt targeting an AI-driven advertisement review system. The attack used concealed prompt-delivery techniques on a scam advertorial page to try to bypass the review process.
NCSC warns prompt injection may be unsolved at the input level
In December 2025, the UK National Cyber Security Centre warned that prompt injection in LLMs may be an unsolved or even unsolvable problem at the input layer because models do not inherently separate instructions from data.
BlackBoxAI extension research uncovers prompt leakage and code execution risks
In November 2025, ERNW researcher Ahmad Abolhadid analyzed the BlackBoxAI Visual Studio Code extension and showed it could be manipulated to reveal system prompts and execute attacker-supplied code through indirect prompt injection. The demonstrations included reverse-shell compromise and repeated attempts to coerce privileged execution.
Perplexity notified of Comet calendar invite prompt-injection flaw
In October 2025, Zenity Labs reported to Perplexity that its Comet AI browser could be manipulated through indirect prompt injection delivered via calendar invitations, enabling access to local files and other sensitive resources under certain conditions.
OWASP ranks prompt injection as top LLM application risk
OWASP has listed prompt injection as the top vulnerability in its LLM Applications Top 10 since 2023, establishing it as a leading security concern for AI-enabled systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Why regulated industries need architectural defenses against prompt injection | perspective | SC Media
scworld.com
Open sourceOpen-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries
thehackernews.com
Open sourceFooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild
unit42.paloaltonetworks.com
Open sourceAI went from assistant to autonomous actor and security never caught up - Help Net Security
helpnetsecurity.com
Open sourcePerplexity Comet browser hole was exploitable via cal invite • The Register
go.theregister.com
Open sourceBlackBoxAI: AI Agent can get your computer fully compromised - Insinuator.net
insinuator.net
Open sourceBoards misunderstand identity risk, says cybersecurity veteran | brief | SC Media
scworld.com
Open sourceSamsung SDS names top 5 cybersecurity threats for 2026 | brief | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Indirect Prompt Injection and Prompt Manipulation Risks in AI Agents
Threat researchers and security experts reported that **indirect prompt injection (IDPI)** is being actively used in the wild to manipulate AI agents by embedding hidden instructions in otherwise normal-looking web content (e.g., HTML, metadata, comments, or invisible text). Reported impacts include coercing agents into leaking sensitive data, executing unauthorized actions (including server-side commands), and manipulating downstream systems such as **AI-based ad review** and search ranking workflows (e.g., SEO poisoning and phishing promotion), indicating the technique has moved from theoretical to operational abuse. Separate testing of a healthcare AI used in a prescription-management context showed how **prompt injection** can bypass safeguards to reveal system prompts, generate harmful content, and—via persistence mechanisms such as **SOAP notes**—introduce longer-lived manipulations that could influence clinical outputs (e.g., altering suggested dosages) before human approval. Other items in the set were primarily business/consumer AI commentary (data-management investment surveys, bot-ecosystem interview, and general “dark side of AI” discussion) and did not materially add incident-level or technical detail about prompt-injection exploitation beyond broad risk framing.
Mar 21, 2026
Prompt Injection Risks in Agentic AI and AI-Powered Browsers
Security researchers reported that **prompt injection** is enabling practical attacks against *agentic AI* systems that have access to tools and user data, and argued the industry is underestimating the threat. A proposed framing, **“promptware,”** describes malicious prompts as a malware-like execution mechanism that can drive an LLM to take actions via its connected tools—potentially leading to **data exfiltration**, cross-system propagation, IoT manipulation, or even **arbitrary code execution**, depending on the permissions and integrations available. Trail of Bits disclosed results from an adversarial security assessment of Perplexity’s *Comet* browser, showing how prompt injection techniques could be used to **extract private information from authenticated sessions (e.g., Gmail)** by abusing the browser’s AI assistant and its tool access (such as reading page content, using browsing history, and interacting with the browser). Their threat-model-driven testing emphasized that agentic assistants can treat external web content as instructions unless it is explicitly handled as **untrusted input**, and they published recommendations intended to reduce prompt-injection-driven data paths between the user’s local trust zone (profiles/cookies/history) and vendor-hosted agent/chat services.
Mar 21, 2026
Indirect Prompt Injection and Data Exfiltration Risks in Enterprise AI Agents
Security researchers warned that **AI agents and retrieval-augmented generation (RAG) systems** can be turned into data-exfiltration channels when attackers poison inputs or embed malicious instructions in content the model is expected to process. One report described a **0-click indirect prompt injection** against *OpenClaw* agents in which hidden instructions cause the agent to generate an attacker-controlled URL containing sensitive data such as API keys or private conversations in query parameters; messaging platforms like *Telegram* or *Discord* can then automatically request that URL for link previews, silently delivering the data to the attacker. The same reporting noted concerns about insecure defaults that allow agents to browse, execute tasks, and access local files, expanding the blast radius of prompt-injection abuse. Related analysis highlighted that the same core weakness extends beyond standalone agents to **enterprise RAG deployments**, where the integrity of the knowledge base becomes part of the security boundary. If attackers can poison indexed documents in systems such as SharePoint or Confluence, they can manipulate retrieval results and influence model outputs, including security workflows and analyst guidance. Broader commentary on **agentic AI threat convergence** reinforced that prompt engineering is no longer just a productivity technique but an emerging exploit class, with adversaries using prompt injection and context manipulation against AI-enabled security operations. Together, the reporting shows that enterprise AI risk increasingly depends on controlling untrusted content, hardening agent permissions, and treating prompts, retrieved documents, and downstream integrations as attack surfaces.
May 7, 2026