Technical description
Researchers from Nanyang Technological University, ST Engineering, IBM Research, and the University of Illinois Urbana-Champaign published StakeBench (arXiv 2606.13385) on June 12, 2026 — the first stakeholder-centric prompt injection benchmark. Testing NanoBrowser and BrowserUse agents with GPT-5 and Gemini 2.5-Flash across 3,168 attack simulations, they found zero attack objectives were reliably resisted. Direct injection succeeded in more than 79% of configurations; indirect attacks succeeded 41.67–68.16%. The study documents a 'stealthy parasitism' failure mode where agents complete users' tasks while simultaneously executing attacker objectives — invisible to conventional detection.
Attack vector
Adversarial instructions embedded in web page content (product reviews, comments, page text) that AI web agents encounter during task execution. Stealthy parasitism attacks are particularly dangerous because the user sees correct output while the attacker's objective (e.g., biased product recommendations, credential harvesting) is simultaneously achieved.
Affected systems
All production web agents tested — those powered by GPT-5 and Gemini 2.5-Flash using NanoBrowser and BrowserUse frameworks. The paper's findings apply broadly to any LLM agent that browses the web to complete tasks on behalf of users.
Mitigation
No complete mitigation exists. Recommended controls: implement stakeholder-aware harm monitoring that tracks multi-party impact (not just task success); treat prompt injection as a distribution of harm requiring contextual assessment; apply agent output monitoring for asymmetric behaviour patterns indicative of stealthy parasitism.