Overview
- Forcepoint X-Labs reported ten in-the-wild indirect prompt injection payloads targeting AI tools that browse or index websites.
- Indirect prompt injection hides commands in page text or metadata that an agent reads as instructions because it cannot separate data from commands.
- Documented payloads sought to delete files with sudo rm -rf, send $5,000 via PayPal.me, or exfiltrate an API key.
- Attackers concealed the instructions with 1px or transparent text, HTML comments or tags, CSS like display:none, or accessibility layers.
- Researchers said agents with privileges such as running code, sending email, or making payments face the highest risk and urged strict separation before allowing actions.