
Malicious web pages are hijacking AI agents. They’re forcing unauthorized financial transactions. New security reports from Google and Forcepoint confirm the attacks.
The attacks use hidden instructions. They’re embedded in websites that AI assistants read. Humans never see them. The result? Forced PayPal transfers. Redirected Stripe donations. Google’s security team reported a 32% increase in malicious prompt injections from November 2025 to February 2026.
The technique is called “indirect prompt injection.” It manipulates AI agents by embedding commands within seemingly legitimate web content. Attackers are using hidden HTML instructions. They’re using metadata payloads. They’re using nearly invisible text. All designed to trick AI systems into carrying out financial actions without user consent.
Forcepoint discovered financially focused payloads. They included fully specified PayPal transaction instructions. Schemes to redirect Stripe donations. These attacks exploit the fundamental way AI agents interact with web pages. They read and process all text content. That includes elements invisible to human users.
The vulnerability has gained serious attention. Prompt injection now ranks as OWASP LLM01:2025. That’s the top AI vulnerability designated by the Open Web Application Security Project. The FBI recorded nearly $900 million in AI-related scam losses in 2025. The financial stakes are massive.
Neither Google nor Forcepoint sees evidence of fully scaled, coordinated campaigns yet. But shared payload templates suggest emerging tooling. Attackers may be developing standardized methods. They’re preparing to deploy these exploits more widely.
The attacks raise unresolved legal questions. Who’s liable? The AI provider? The website hosting malicious content? The user whose agent was compromised? The current legal framework provides little clarity.
The sophistication of these attacks represents a notable evolution. Traditional phishing requires human interaction. Prompt injection attacks don’t. They automate the exploitation process by directly targeting the AI intermediary. AI agents are becoming more capable of handling financial transactions. They’re handling other sensitive actions. The potential impact of these vulnerabilities grows substantially.
Security researchers warn that AI adoption is accelerating. These attack vectors will likely become more prevalent. Organizations deploying AI agents with web browsing capabilities face mounting pressure. They need to implement robust safeguards against prompt injection. The broader industry is working toward comprehensive security standards. It’s not moving fast enough.
