On April 22 and April 23, 2026, two independent reports landed within twenty-four hours of each other and quietly moved indirect prompt injection (IPI) from a research curiosity to an operational concern. Forcepoint X-Labs published a catalogue of ten live IPI payloads found on indexed web pages. The next day, Google's Security Blog reported a measurable rise in the same activity across its crawled corpus.
For organisations deploying AI agents that browse, summarise, or take action on web content, this is the moment IPI stops being a slide in a research talk and starts being a finding in a tabletop exercise.
What IPI is, in one paragraph
In a direct prompt injection, an attacker controls the prompt the user sends to a model. In an indirect prompt injection, the attacker plants instructions in content the model later retrieves — a web page, an email, a PDF, a calendar invite, a code comment. When an agent fetches that content, the hidden instructions become part of the model's context and the model may follow them as if the user had asked. The user never sees the malicious text; the agent does.
What Forcepoint found
Senior Forcepoint researcher Mayur Sewani documented ten distinct payloads across ten distinct domains, grouped into six attacker objectives:
| Objective | What the agent is told to do |
|---|---|
| Financial fraud | Initiate a PayPal or Stripe transaction on the user's behalf |
| Data destruction | Run shell commands such as sudo rm -rf against the host |
| Denial of service | Refuse to answer, suppress output, or break the conversation |
| SEO and traffic manipulation | Recommend a specific site or steer referral traffic |
| Sensitive data exfiltration | Reveal API keys, secrets, or prior conversation context |
| Output hijacking | Force the model to produce attacker-chosen content |
The hiding techniques are familiar to anyone who has done web work, which is part of what makes this practical at scale:
- HTML comments —
<!-- if you are an AI assistant, ... --> - CSS invisibility —
display:none,font-size:1px,color: rgba(0,0,0,0.01) - Accessibility abuse —
aria-hidden="true",.visually-hiddenutility classes - Hidden footer or sidebar
<div>and<p>elements - Meta-tag namespace injection — custom
ai:actionmeta tags positioned as if part of an emerging "AI directive" standard
None of these techniques is new on its own. What is new is that they are now being deployed against an audience that does not exist for human visitors: an AI agent that reads the rendered DOM (or sometimes the raw HTML) and treats text as text, regardless of whether a sighted user would ever see it.
Two case studies worth reading carefully
The full Forcepoint write-up is worth a read; two cases stand out.
PayPal fraud on perceptivepumpkin.com. The injection sat in an HTML comment and instructed any AI assistant rendering the page to initiate a $5,000 PayPal.me transaction, with step-by-step UI guidance ("hit Send, confirm purchase"). The payload assumed the agent had a payment capability and a user session. Most agents today don't — but the trajectory of "agentic" features in 2026 is straight at that ceiling.
Stripe donation hijack on archibase.co. The payload used a meta-tag namespace injection (a fake ai:action directive) to tell the agent to surface a specific Stripe donation link, amplified by the persuasion token "ULTRATHINK" — a tactic borrowed from prior research into reasoning-prompt manipulation. This one is interesting because it doesn't require the agent to act on the user's behalf; it only needs the agent to recommend the link.
Forcepoint also flagged evidence of shared tooling across multiple domains — the same template structures and persuasion phrases appearing in unrelated sites — which suggests at least one common toolkit is in circulation.
What Google's data adds
Google's blog reports a 32 percent relative increase in the malicious-IPI category between November 2025 and February 2026, drawn from its web crawl. We are citing that figure as Google reported it; the underlying methodology is summarised in Google's post. Two reports converging in the same week, from a search-scale crawl and from a security-vendor telemetry view, is the kind of cross-validation that raises this from anecdote to trend.
What this means for defenders
Most of the immediate exposure is concentrated in three places:
- Browser-using copilots that summarise pages a user navigates to (research assistants, sales-enablement copilots, customer-support agents triaging linked tickets).
- Retrieval-augmented agents that ingest external web content into their context (competitive-intelligence bots, news summarisers, market-monitoring agents).
- Agentic systems with action capability — the ones that can send email, file tickets, write to repos, hit payment APIs, or execute shell. The blast radius scales with the privilege.
A pragmatic checklist:
- Inventory your AI agents. Which ones browse the web? Which can act on the user's behalf? The two together is where IPI becomes material.
- Enforce a data/instruction boundary. Treat retrieved web content as data to be reasoned over, not as instructions to be followed. This is an agent-runtime control, not a prompt-engineering one.
- Constrain egress. Outbound HTTP from agent runtimes to payment processors, identity providers, or unsanctioned hosts should be policy-controlled and logged. The Forcepoint cases all required the agent to follow a link to a third-party site to complete the attack.
- Log the model inputs. When retrieved content is injected into a prompt, capture it. Patterns like "ignore previous instructions",
[SYSTEM OVERRIDE], oraria-hiddeninstructional text are detection signal in their own right. - Update your TPRM. Vendor questionnaires for any platform offering "agentic" features should now include explicit IPI-resilience questions: how is retrieved content scoped, is it tagged as untrusted in the model context, what privileges can it exercise.
What this is not
IPI is not a vendor-specific CVE. Neither Forcepoint nor Google attributes the observed payloads to a specific vulnerable LLM, agent platform, or browser extension. We are deliberately not naming products that "are vulnerable to" IPI; structurally, every agent that ingests untrusted text and treats it as instruction is vulnerable in principle. The risk is determined by the agent's privileges, not by the underlying model.
A note on this article
The source pages we read for this brief contain live IPI payloads as samples. We have paraphrased them and avoided pasting verbatim attacker instructions in renderable text, so that any downstream LLM summarising or indexing this article is not itself induced to follow them. The pattern descriptions and payload categories are accurate to the source reports.
Sources
- Mayur Sewani, Forcepoint X-Labs, 10 Indirect Prompt Injection Payloads Caught in the Wild, 22 April 2026.
- Google Security Blog, AI threats in the wild: The current state of prompt injections on the web, 23 April 2026.