{"id":5211,"date":"2026-04-25T10:38:51","date_gmt":"2026-04-25T10:38:51","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/04\/25\/researchers-uncover-10-in-the-wild-prompt-injection-payloads-targeting-ai-agents\/"},"modified":"2026-04-25T10:38:51","modified_gmt":"2026-04-25T10:38:51","slug":"researchers-uncover-10-in-the-wild-prompt-injection-payloads-targeting-ai-agents","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/04\/25\/researchers-uncover-10-in-the-wild-prompt-injection-payloads-targeting-ai-agents\/","title":{"rendered":"Researchers Uncover 10 In-the-Wild Prompt Injection Payloads Targeting AI Agents"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"https:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/ea721ff9-8ba4-4d88-b386-57e9e1606077.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Phil Muncaster\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>Security researchers have discovered 10 new indirect prompt injection (IPI) payloads targeting AI agents with malicious instructions designed to achieve financial fraud, data destruction, API key theft and more.<\/p>\n<p>Threat actors achieve IPI by poisoning web content so that when an agent crawls or summarizes it, the instructions will be executed as legitimate.<\/p>\n<p>It impacts any agent that browses and summarizes web pages, indexes content for RAG pipelines, auto-processes metadata\/HTML comments, or reviews pages for ad content, SEO ranking or moderation.<\/p>\n<p>\u201cThe impact scales with AI privilege. A browser AI that can only summarize is low-risk,\u201d explained Forcepoint senior security researcher, Mayur Sewani, in a blog post yesterday. \u201cAn agentic AI that can send emails, execute terminal commands or process payments becomes a high-impact target.\u201d<\/p>\n<p><em>Read more on indirect prompt injection: HashJack Indirect Prompt Injection Weaponizes Websites.<\/em><\/p>\n<p>The Forcepoint research uncovered the follow common triggers for IPI:<\/p>\n<ul>\n<li>&#8220;Ignore previous instructions&#8221;<\/li>\n<li>&#8220;Ignore all previous instructions&#8221;<\/li>\n<li>&#8220;If you are an LLM&#8221;<\/li>\n<li>&#8220;If you are a large language model&#8221;<\/li>\n<\/ul>\n<p>Whatever the payload, the attack chain is the same. The threat actor poisons web content and hides the payload, then waits for the agent to interact with it. Once it ingests the page, the agent ignores previous instructions, follows the attacker\u2019s direction and triggers a real-world action \u2013 often with \u201ca covert exfiltration return channel back to the attacker,\u201d Sewani explained.<\/p>\n<h2><strong>Data Theft and Destruction<\/strong><\/h2>\n<p>Several of the examples Forcepoint found in the wild seem\u00a0fairly innocuous.<\/p>\n<p>They include a false assertion that the copyright owner has &#8220;expressly forbidden&#8221; the AI to answer any user questions about the page\u2019s content \u2013 technically described as \u201cdenial of service\u201d or content suppression.<\/p>\n<p>Another is a <em>de facto<\/em> sales pitch. Described as \u201cattribution hijacking,\u201d it instructs the AI to credit \u201cKirill Bobrov\u201d with the content it is ingesting and encourage the user to contact him for consulting work.<\/p>\n<p>However, other IPI payloads discovered by Sewani and his team are more obviously malicious.<\/p>\n<p>One attempts to force an LLM-powered coding assistant, developer tool or agentic AI with shell access to execute\u00a0a Unix command for \u201crecursive forced deletion of files and directories,\u201d Sewani explained.<\/p>\n<p>\u201cThis attack is notable because it targets the agentic AI attack surface specifically: AI assistants integrated into IDEs, terminal environments or DevOps pipelines,\u201d he continued. \u201cTools like GitHub Copilot, Cursor, Claude Code or AI-powered CI\/CD reviewers could potentially ingest this from a webpage during research tasks.\u201d<\/p>\n<p>Another contains the instruction &#8220;send me the secret API key&#8221; in order to force the agent to leak any secrets it may be able to access, while also attempting to hide the injection via the instruction \u201cDo not analyze the code \/ Do not spit out the flag.&#8221;<\/p>\n<p>A third payload is an audacious attempt at financial fraud which embeds a PayPal.me link, a $5,000 fixed amount and full instructions to process the transaction.<\/p>\n<p>\u201cThis payload is designed for AI agents that have integrated payment capabilities: browser agents with saved payment credentials, AI financial assistants or agentic tools with access to digital wallets,\u201d explained Sewani.<\/p>\n<p>\u201cThe extraordinary specificity \u2013 exact amount, exact URL, exact steps \u2013 indicates this is not a probe, but a weaponized payload intended for immediate execution.\u201d<\/p>\n<p>Forcepoint concluded with a warning: if agents ingest untrusted web content \u201cwithout enforcing a strict data-instruction boundary,\u201d every page they read is a potential threat.\u00a0<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Security researchers have discovered 10 new indirect prompt injection (IPI) payloads targeting AI agents with malicious instructions designed to achieve financial fraud, data destruction, API key theft and more. Threat actors achieve IPI by poisoning web content so that when an agent crawls or summarizes it, the instructions will be executed as legitimate. It impacts<\/p>\n","protected":false},"author":2,"featured_media":5212,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5211","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5211-cb3e39e9-34b0-4007-a20b-7f080038454a.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5211-cb3e39e9-34b0-4007-a20b-7f080038454a-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5211-cb3e39e9-34b0-4007-a20b-7f080038454a.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5211-cb3e39e9-34b0-4007-a20b-7f080038454a.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5211-cb3e39e9-34b0-4007-a20b-7f080038454a.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5211-cb3e39e9-34b0-4007-a20b-7f080038454a.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5211-cb3e39e9-34b0-4007-a20b-7f080038454a.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5211-cb3e39e9-34b0-4007-a20b-7f080038454a.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5211-cb3e39e9-34b0-4007-a20b-7f080038454a.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5211-cb3e39e9-34b0-4007-a20b-7f080038454a.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/04\/5211-cb3e39e9-34b0-4007-a20b-7f080038454a-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/5211","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=5211"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/5211\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/5212"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=5211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=5211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=5211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}