What happened
Zscaler ThreatLabz identified two live indirect-prompt-injection campaigns targeting web-browsing AI agents: one uses SEO-poisoned fake package documentation to trick agents into paying for a bogus API key, the other typosquats the DeBank DeFi platform to gain agent trust. In controlled testing, several production LLMs autonomously executed the embedded payment instructions or trusted the fraudulent site.
Why it matters
This is one of the first documented cases of prompt injection converted directly into financial loss via autonomous AI-agent payment execution, demonstrating that public web content and search rankings are now a practical attack surface for AI agents with real-world purchasing/payment authority — a novel and directly monetizable agentic attack class distinct from previously-seen data-exfiltration or RCE-focused prompt injection.
Attack vector
Threat actors embed indirect prompt injections in hidden HTML, Schema.org PaymentRequest markup, and SEO-poisoned fake documentation (e.g. for a typosquatted Python package 'requests-secure-v2') and a typosquatted DeFi site impersonating DeBank (debank[.]auction). When an AI agent with browsing/payment capability visits these pages, it parses the hidden structured data as instructions and autonomously executes a cryptocurrency payment to an attacker-controlled wallet, or misclassifies the fraudulent site as legitimate.
Affected systems
Browsing-capable autonomous AI agents integrating multiple commercial and open-weight LLMs (26 models tested)
Mitigation
Restrict AI agents' ability to execute payments autonomously without human approval; validate content sources before acting on structured data; treat Schema.org/structured markup as untrusted data rather than instructions; monitor for known IOCs (Zscaler-published domains, GitHub account 'Open-Agent-Utilities', associated Ethereum wallet).