AI agents weaponized through indirect prompt injection intrusions

HackRead reports that hidden website code has been tapped to facilitate indirect prompt injection attacks against AI assistants, such as GitHub Copilot and Claude Code.

Malicious actors have weaponized HTML comments, metadata tags, 1px fonts, and transparent colors, as well as accessibility layers to successfully conceal IPI attack-enabling code across multiple websites, findings from a Forcepoint analysis showed. Hidden commands in the "faladobairro[.]com," "perceptivepumpkin[.]com," and "thelibrary-welcome[.]uk" websites allowed backup folder deletion, illicit delivery of $5,000 through PayPal.me, and forced exposure of a secret API key, respectively. On the other hand, other websites had malicious invisible code that led to denial-of-service compromise, traffic hijacking, and SEO manipulation.

"Unlike direct prompt injection, where a user sends malicious input to a model, IPI hides adversarial instructions inside ordinary web content. When an AI agent crawls or summarizes a poisoned page, it ingests those instructions and executes them as legitimate commands, with no indication that anything went wrong," said Forcepoint researchers.