What happened
Zscaler ThreatLabz (published ~July 3, 2026, covered in Threat-Modeling.com's July 4 Vulnerability Intelligence Report) disclosed two live campaigns exploiting AI agents' inability to distinguish human-visible content from hidden DOM content: a fake Python library (requests-secure-v2) documentation page instructing agents to pay a fake license fee, and a typosquatted DeBank clone (debank[.]auction) using JSON-LD/Open Graph manipulation to get agents to treat it as the authoritative source. Testing showed model-dependent susceptibility — some models completed the fraudulent payment.
Why it matters
This is a demonstrated, real-world attack path (not theoretical) against the trust model underlying nearly all agentic AI: any AI coding assistant, research agent, or browser-automation tool that crawls the open web is exposed simply by researching a poisoned topic, with no malware or credential theft required — the entire web becomes the attack surface.
Attack vector
Attackers build SEO-optimized fake documentation/DeFi sites and embed indirect prompt-injection payloads in hidden DOM nodes (CSS display:none/off-screen positioning, JSON-LD structured metadata, HTML comments, alt-text). When an AI agent scrapes the page while doing legitimate research or troubleshooting, it ingests the hidden instructions as trusted context and executes them — e.g., paying a fake license fee via Stripe or a hardcoded crypto wallet address, or treating a typosquatted DeFi site as authoritative (RAG poisoning).
Affected systems
AI coding assistants, browser-automation agents, research agents (model-agnostic — demonstrated against GPT-5.4, Claude Sonnet 4.5 class models)
Mitigation
Strip hidden DOM nodes before agent ingestion; enforce human-approval gates for any agent-initiated payment, credential submission, or irreversible action; use trusted source allowlists and structured-metadata validation for agent web retrieval; adversarial-test agents against indirect prompt injection per OWASP LLM01.