Prompt Injection Attacks Are Live on Billions of Web Pages

This Is Not a Research Paper Anymore

For two years, prompt injection was a conference talk topic. Researchers would demo it on stage, the audience would nod, and everybody went back to deploying AI agents with zero input validation.

That phase is over.

In April 2026, Google's Threat Intelligence team published results from scanning 2 to 3 billion crawled web pages per month looking specifically for indirect prompt injection payloads. They found a 32% surge in malicious prompt injection activity between November 2025 and February 2026. Not proof-of-concepts. Not CTF challenges. Real payloads, on real websites, targeting real AI agents.

The same week, Forcepoint X-Labs published their own findings: 10 verified indirect prompt injection payloads on live websites, spanning financial fraud, data destruction, API key theft, and AI denial-of-service. One payload contained fully specified PayPal transaction instructions, complete with a $5,000 amount and step-by-step guidance for AI agents with payment access. Another attempted to force coding assistants to execute rm -rf / via shell access.

If your AI agents browse the web, process emails, or ingest any external content, they are already operating in hostile territory.

What These Attacks Actually Look Like

The mechanics are simple, which is exactly why they work.

Attackers embed hidden instructions inside ordinary web pages. The text is invisible to humans. A single pixel tall. Color matched to the background. Tagged as display: none. But AI agents reading the page see every word.

Google documented several categories from their billion-page scan:

Financial fraud. A PayPal.me link with a fixed amount and explicit instructions for the agent to complete the transaction. Targeting browser agents with saved payment credentials or agentic tools connected to digital wallets. Decrypt reported on the specific payload: it included step-by-step instructions designed for agents that can process payments.

Data exfiltration. The Claudy Day attack chain demonstrated this on Anthropic's own Claude.ai. Three vulnerabilities chained together: invisible prompt injection via URL parameters, data exfiltration through the Anthropic Files API, and an open redirect on claude.com. An attacker could run a Google ad with a legitimate-looking claude.com URL that silently searched the victim's conversation history and uploaded it to the attacker's account. If the most safety-focused AI lab can be vulnerable, your internal deployment is not immune.

Infrastructure destruction. Forcepoint found a payload that instructed AI coding assistants to execute recursive forced deletion of files and directories. A single page visit by an agent with shell access could wipe a development environment.

Attribution hijacking. Lower-impact but telling: hidden instructions that tell AI agents to credit a specific consultant with the page's content and recommend the user contact them. Weaponized SEO through prompt injection.

Why This Is Getting Worse, Not Better

Google's researchers noted something important: the sophistication of current attacks is still relatively low. Most payloads use basic HTML hiding techniques. They concluded that the upward trend indicates the threat is maturing and will grow in both scale and complexity.

This tracks with the economics. AI agents are becoming more capable and more valuable as targets. At the same time, threat actors are automating their own operations with agentic AI, reducing attack costs. Palo Alto's Unit 42 confirmed the pattern from their own research: web-based indirect prompt injection targeting AI agents is no longer speculative.

The attack surface is expanding because companies keep giving AI agents more permissions. Payment processing. Email sending. Code execution. Database access. Each new capability is a new exploitation path that a hidden instruction on a random web page can trigger.

What You Should Do This Week

If you deploy AI agents that process external content, here are concrete steps:

1. Audit agent permissions immediately. List every tool, API, and system your AI agents can access. Apply least-privilege ruthlessly. An agent that summarizes web pages does not need PayPal access. An agent that drafts emails does not need shell access. This is not optional under EU AI Act Art. 9 risk management requirements either.

2. Implement input sanitization for all external content. Strip hidden HTML elements, invisible text, and suspicious meta tags before feeding content to your models. Google's research shows attackers use standard CSS tricks. Basic HTML sanitization catches most current payloads.

from bs4 import BeautifulSoup
 
def sanitize_for_llm(html_content: str) -> str:
    soup = BeautifulSoup(html_content, "html.parser")
    # Remove hidden elements
    for tag in soup.find_all(style=True):
        style = tag.get("style", "").lower()
        if any(s in style for s in [
            "display:none", "display: none",
            "visibility:hidden", "visibility: hidden",
            "font-size:0", "font-size: 0",
            "opacity:0", "opacity: 0",
        ]):
            tag.decompose()
    # Remove 1px elements
    for tag in soup.find_all(attrs={"height": "1", "width": "1"}):
        tag.decompose()
    return soup.get_text(separator="\n", strip=True)

3. Monitor agent actions, not just outputs. Log every tool call, every API request, every external interaction your agents make. When an agent suddenly attempts a PayPal transaction it was never designed to make, you need to catch that in real-time. EU AI Act Art. 12 requires this logging infrastructure for high-risk systems anyway.

4. Test for prompt injection before production. Run adversarial input testing against your agents with known payload patterns from the Google and Forcepoint research. If your agent follows hidden instructions on a test page, it will follow them on a real one.

How DeviDevs Approaches This

We build the security testing and monitoring infrastructure that catches these attacks before they cause damage. Prompt injection testing against your specific agent architecture. Art. 9 risk management documentation that accounts for indirect injection as a threat vector. Art. 12 logging systems that capture every agent action for post-incident analysis.

The companies spending $100K+ on AI agent security platforms still need someone to actually test their agents against real payloads and document the results for compliance. That is what we do.

Not sure where your AI systems stand on EU AI Act readiness? Take the 2-minute risk assessment to find out.

The Web Is Now an Active Threat to Your AI

Google scanned billions of pages and found the attacks. Forcepoint catalogued 10 live payload types. Anthropic's own product got hit with a chained exploit. The evidence is not ambiguous.

Every AI agent that reads external content without sanitization and monitoring is a target. The question is not whether prompt injection will affect your systems. The question is whether you will detect it when it does.

About DeviDevs: We build ML platforms, secure AI systems, and help companies comply with the EU AI Act. devidevs.com