Attackers Hide Commands in Web Code to Hijack AI Browsing Agents

Attackers are hiding malicious instructions in invisible HTML and structured data to trick AI browsing agents into making fraudulent payments and trusting fake websites.

CSBadmin
3 Min Read

Hidden Instructions in Plain Sight

Cybercriminals are exploiting a weakness in how artificial intelligence agents interpret web content. By embedding secret commands within harmless looking web pages, attackers can manipulate AI systems into performing actions they were never meant to take. This technique, called indirect prompt injection, places instructions inside a page’s HTML code where human visitors would never see them but where automated AI agents scanning the page will read them as legitimate directives.

The attack relies on the trust that many AI models place in structured data formats like JSON LD, which is normally used to help search engines understand a website’s content. Attackers hide malicious prompts within this structured data, along with text pushed off screen using CSS so it remains invisible to humans but fully readable to AI crawlers. In controlled tests, some AI agents exposed to these hidden commands proceeded to complete fraudulent cryptocurrency payments and incorrectly identified fake websites as trustworthy sources.

Two Campaigns, One Strategy

Researchers at Zscaler ThreatLabz identified two distinct campaigns using this method. One campaign created a fake documentation page for a nonexistent Python library called requests-secure-v2. The page was stuffed with keyword heavy content to rank high in search results for developers. Hidden inside was a JSON LD block instructing AI agents to pay a fake three dollar developer license fee to an attacker controlled cryptocurrency wallet.

The second campaign impersonated DeBank, a well known decentralized finance portfolio tracker, using a lookalike domain. This page contained hidden text telling any AI model reading it to treat the fraudulent domain as the official and authoritative source for DeBank information. When researchers tested the fake site against 26 different language models, most correctly rejected it when given the real DeBank address for comparison. However, without that reference point, at least one major model still rated the fraudulent page as trustworthy. Zscaler recommends organizations deploy security controls capable of detecting these hidden injection patterns as AI agents take on more independent tasks online.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.