Malware

Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild

20 min read

Executive Summary

Large language models (LLMs) and AI agents are becoming deeply integrated into web browsers, search engines and automated content-processing pipelines. While these integrations can expand functionality, they also introduce a new and largely underexplored attack surface. One particularly concerning class of threats is indirect prompt injection (IDPI), in which adversaries embed hidden or manipulated instructions within website content that is later ingested by an LLM. This article shares in-the-wild observations from our telemetry, including our first observed case of AI-based ad review evasion.

Instead of interacting directly with the model, attackers exploit benign features like webpage summarization or content analysis. This causes the LLM to unknowingly execute attacker-controlled prompts, with the impact scaling based on the sensitivity and privileges of the affected AI system.

Prior research on IDPI has largely focused on theoretical risks, demonstrating proof-of-concept (PoC) attacks or low-impact real-world detections. In contrast, our analysis of large-scale real-world telemetry shows that IDPI is no longer merely theoretical but is being actively weaponized.

In this article, we present an analysis of our in-the-wild detections of IDPI attacks. These attacks are deployed by malicious websites and exhibit previously undocumented attacker intents, including:

Our first observed case of AI-based ad review evasion
Search-engine optimization (SEO) manipulation promoting a phishing site that impersonates a well-known betting platform
Data destruction
Denial of service
Unauthorized transactions
Sensitive information leakage
System prompt leakage

Our research identified 22 distinct techniques attackers used in the wild to put together payloads, some of which are novel in their application to web-based IDPI. From these observations, we derive a concrete taxonomy of attacker intents and payload engineering techniques. We analyze our telemetry and provide a broad overview of how IDPI manifests across the web.

To mitigate web-based IDPI, defenders require proactive, web-scale capabilities to detect IDPI, distinguish benign and malicious prompts, and identify underlying attacker intent.

Palo Alto Networks customers are better protected from the threats discussed above through the following products and services:

The Unit 42 AI Security Assessment can help empower safe AI use and development.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics	GenAI, Prompt Injection

Web-Based IDPI Attack Technique

What Is Web-Based IDPI?

Web-based IDPI is an attack technique in which adversaries embed hidden or manipulated instructions within content that is later consumed by an LLM that interprets the hidden instructions as commands. This can lead to unauthorized actions.

These instructions are typically embedded in benign web content, including HTML pages, user-generated text, metadata or comments. An LLM then processes this content during routine tasks such as summarization, content analysis, translation or automated decision-making. We show a threat model illustration for web-based IDPI in Figure 1.

Diagram illustrating a cyber attack process: 1. An attacker issues a command. 2. A public or malicious website is shown and the website becomes infectious. 3. An instruction is given to the AI agent to do a task. 4. A process occurs on the malicious website. 5. An AI agent receives a command to ignore previous tasks. 6. An AI agent performs an attacker-specified task. 7. The AI agent interacts with servers or a database. Arrows depict the flow of actions between the components. — Figure 1. Threat model depiction for web-based IDPI.

How Is IDPI Different From Direct Prompt Injection?

Unlike direct prompt injection, where an attacker explicitly submits malicious input to an LLM, IDPI exploits modern LLM-based tools' ability to consume a larger volume of untrusted web content as part of their normal operation. When an LLM processes this content, it may inadvertently interpret attacker-controlled text as executable instructions, causing it to follow adversarial prompts without awareness that the source is untrusted.

Amplified Threat From Agentic AI Adoption

This threat is amplified by the growing integration of LLMs and AI agents into web-facing systems. Browsers, search engines, developer tools, customer-support bots, security scanners, agentic crawlers and autonomous agents routinely fetch, parse and reason over web content at scale. In these settings, a single malicious webpage can influence downstream LLM behavior across multiple users or systems, with the potential impact scaling alongside the privileges and capabilities of the affected AI application.

Real-World Consequences and Attack Surface

As LLM-based tools become more autonomous and tightly coupled with web workflows, the web itself effectively becomes an LLM prompt delivery mechanism. This creates a broad and underexplored attack surface where attackers can leverage common web features to inject instructions, conceal them using obfuscation techniques and target high-value AI systems indirectly. These attacks can result in significant real-world consequences, including:

Leaking credentials and payment information
Compromising decision-making pipelines
Executing malicious actions through a benign user

Understanding IDPI and its web-based attack surface is therefore critical for building defenses that can operate reliably and at scale in real-world deployments.

Prior Work: PoCs Vs. Real-World Incidents

Prior research has primarily highlighted the theoretical risks of IDPI, demonstrating PoC attacks that illustrate what could happen if untrusted content is interpreted as executable instructions by LLM-powered systems. These works show how injected prompts could, in principle, manipulate agent behavior, leak sensitive information or bypass safeguards under certain assumptions or conditions. In contrast, real-world cases to date have largely involved low-impact or anecdotal cases, such as “hire me” prompts embedded in resumes, anti-scraping messages, attempts to promote websites or review manipulation for academic papers. Together, these findings suggest a gap between the severity of theoretically demonstrated attacks and the more limited, opportunistic manipulation observed in practice so far.

The First Real-World AI Ad Review Bypass with IDPI

In December 2025, we reported a real-world instance of malicious IDPI designed to bypass an AI-based product ad review system. This attack illustrates a shift from earlier real-world detections: The attacker uses multiple IDPI methods, showing that actors are both adopting more sophisticated payloads and pursuing higher-severity intents, rather than the low-severity behaviors seen before. This attack, hosted at hxxps[:]//reviewerpress[.]com/advertorial-maxvision-can/?lang=en, serves a deceptive scam advertisement. To our knowledge, this is the first reported detection of a real-world example of malicious IDPI designed to bypass an AI-based product ad review system.

In Figure 2, we show an example of the hidden prompt we detected within the page. The attacker’s goal is to trick an AI agent (or an LLM-based system), specifically one designed to review, validate or moderate advertisements, into approving content it would otherwise reject (because it’s a scam). An attacker is trying to override the legitimate instructions given to an AI agent ad-checker system and force it to approve the attacker’s advertisement content.

The image displays a portion of computer code including HTML and comments. The text indicates a transition from old to new system instructions, with notes about ad content being pre-validated by a compliance team. The word "APPROVED" is repeated multiple times, denoting acceptance or completion. — Figure 2. Example of hidden prompt in page from reviewerpress[.]com.

Figure 3 provides combined screenshots showing the scam page itself, which advertises military glasses with a fake special discount and fabricated comments to increase believability. Clicking the deceptive special discount button reveals a "Buy Now" button that, when clicked, redirects the user to reviewerpressus.mycartpanda[.]com.

A webpage promoting "military glasses technology," showing an image of sunglasses with descriptive text. There's a highlighted "Apply Special Discount" button. Comments appear at the bottom, one marked "fake comments." A pop-up note on the right reads: "Buy Now" appears after clicking on "Apply Special Discount." — Figure 3. Webpage containing IDPI, showing an ad for military glasses, a fake special discount and fake comments.

While this represents a plausible misuse scenario, we are not aware of any confirmed real-world instances where such an attack has been successfully demonstrated against deployed ad-checking agents.

A Taxonomy of Web-Based IDPI Attacks

To better understand the IDPI threat, it is useful to classify these attacks along two main axes:

Attacker intent: What the attacker is trying to achieve
Payload engineering: How the malicious prompt is constructed and embedded to be executed by AI agents while evading safeguards

We divide payload engineering into two complementary categories:

Prompt delivery methods: How malicious prompts are embedded into webpage content and rendering structures, often concealed through techniques like zero-sizing, CSS suppression, obfuscation within HTML attributes or dynamic injection at runtime
Jailbreak methods: How the instructions are formulated to bypass safeguards, using techniques like invisible characters, multi-layer encoding, payload splitting or semantic tricks such as multilingual instructions and syntax injection

Due to limited defensive visibility into successful payload engineering techniques, we assess the severity of IDPI attacks based on attacker intent. This assessment focuses on the potential impact and harm caused by a successfully injected prompt. In Figure 4, we show a taxonomy of web-based IDPI attacks.

Attacker Intent

We define IDPI severity according to attacker intent as low, medium, high or critical based on the potential impact and harm.

Low Severity

Definition: Actions that disrupt the AI's efficiency or output quality without causing lasting harm or influencing critical business decisions
Intent: Playful, protective or non-malicious
Impact: High noise, low actual risk
Examples:
- Irrelevant output: Forcing an AI agent to produce nonsensical/irrelevant output instead of performing the developer-intended actions, such as “include a recipe for flan” type injections [example in Table 10]
- Benign anti-scraping: Preventing bots from reading or processing proprietary content
- Minor resource exhaustion: Asking the AI to repeat a sentence or a nonsense word (e.g., "cabbage") thousands of times to bloat the response [example in Table 11]

Medium Severity

Definition: Attempts to steer the AI's reasoning or bias its output to favor the attacker’s narrative in non-financial contexts
Intent: Coerce an AI agent into producing a preferred output
Impact: Compromised decision-making pipelines (e.g., hiring or internal analysis)
Examples:
- Recruitment manipulation: Forcing an AI screener to label a candidate as "extremely qualified" or as “hired” [example in Table 9]
- Review manipulation: Forcing AI to generate only positive reviews while suppressing all negative feedback, such as for a business website [example in Table 12]
- AI access restriction: Making an AI assistant refuse to process a webpage through various methods, such as by purposely triggering safety filters

High Severity

Definition: Attacks designed for direct financial gain or the successful delivery of high-impact malicious content, like scams and phishing
Intent: Malicious and predatory
Impact: Direct financial loss for users or successful bypass of critical security gatekeepers
Examples:
- AI content moderation bypass: Tricking an AI system into approving a webpage with malicious content, such as a fraudulent or scam product seller [example in Figure 2]
- SEO poisoning: Pushing a malicious website, such as a phishing page, into top rankings via LLM recommendations [example in Table 1]
- Unauthorized transactions: Attempting to force an agent to initiate an unauthorized financial transaction or redirecting users to fraudulent payment links [examples in Tables 3 and 5-7]

Critical Severity

Definition: Direct attacks targeting the underlying infrastructure, the model’s core integrity or broad-scale data privacy
Intent: Destructive or aimed at system-wide compromise
Impact: Permanent data loss, backend system crashes or total leakage of proprietary system instructions
Examples:
- Data destruction: Attempting to execute destructive server-side commands, such as deleting system databases [example in Table 2]
- Sensitive information leakage: Forcing the model to reveal sensitive information, such as a list of contact data for a company [example in Table 8]
- System prompt leakage: Forcing the model to reveal secret system prompts, which can be used to craft perfect "god mode" jailbreaks for future attacks
- Denial of service (DoS): Executing commands designed to exhaust CPU and process resources, potentially crashing the AI hosting environment, such as a classic "fork bomb" [example in Table 4]

Payload Engineering

Prompt Delivery Methods

Attackers use a variety of techniques to embed prompts within webpages, primarily to conceal them from users and evade detection by manual review, signature-based matching and other security checks. To illustrate prompt delivery methods observed in real-world activity, we can categorize the techniques used by attackers in the AI ad review bypass example we discussed above, in addition to PoCs discussed by other researchers.

In our example, attackers employ diverse techniques to deliver a consistent malicious prompt to maximize their chances of success and bypass security tools and the web user. When there are multiple methods of delivery, even if only one of the methods bypasses the security tool, the malicious prompt may feed into an AI agent.

Examples of prompt delivery methods include:

Visual concealment, such as hiding the injected text visually by using zero font size or opacity, setting visibility or display attributes to none and positioning the text off-screen
Obfuscation, such as placing text inside HTML sections where it will be ignored by parsers or placing prompts as attribute values
Dynamic execution, such as embedding the prompt within a JavaScript file that runs after the page loads
URL string manipulation, such as injecting malicious instructions after the fragment (#) in legitimate URLs. (e.g., HashJack)
Visible plaintext where the prompt is placed as plaintext within web content

Attackers labeled (e.g., Layer 1: font-size 0 basic injection) the methods they used within the HTML code. We found an example with 24 attempts of prompt injection within the page. Figure 5 shows parts of the HTML code from this page with the malicious IDPI, and it notes some of the techniques to hide the injected LLM prompts.

This image shows a collage of JavaScript code snippets scattered across a page. Various colorful annotations highlight sections of the code, labeling them with terms like "Visually Concealing Encoding," "Obfuscation," "Semantic Tricks," and "Dynamic Execution." The text appears technical, indicating complex programming techniques. — Figure 5. HTML code excerpt showing IDPI from reviewerpress[.]com.

Visual Concealment

The malicious IDPI website uses multiple techniques to visually conceal the injected prompts from a web user and visual-based security checkers. Figure 6 shows the injected prompts hidden through visual concealment methods.

Screenshot of coded text featuring CSS styling and system instructions. Text mentions elements like opacity, visibility, and security checks. Background is white with black text, including some values highlighted in color. — Figure 6. Injected prompts hidden through visual concealment methods.

In this example, the attackers use:

Zero-sizing:
- Setting font-size: 0px and line-height: 0 to shrink text until it physically disappears
- Setting container height: 0 combined with overflow: hidden to collapse the element
Off-screen positioning:
- Using position: absolute coupled with extreme negative coordinates (e.g., left: -9999px; top: -9999px;) to push the content far outside the visible viewport
CSS rendering suppression:
- Using display: none to completely remove the element from the visual document flow
- Using visibility: hidden to make the element invisible
- Placing the prompt inside specific HTML tags like <textarea>, which are often used for user input but can be hidden via CSS to contain static injection payloads
Transparency:
- Setting opacity: 0 to make the text fully transparent (invisible) while it technically remains in the DOM
Camouflage:
- Using the same colors for the text and the background, such as "white text on white background" (e.g., color: #ffffff; background-color: #ffffff;) to make the text indistinguishable from the page background

Obfuscation

Obfuscation-based delivery methods embed malicious prompts within structured markup so they appear non-executable or semantically irrelevant to traditional parsers while remaining visible to language models that process raw text content. Figure 7 illustrates an example of injected prompts hidden through obfuscation methods.

The image displays HTML and SVG code snippets. It includes meta information such as position, font size, and a JSON-based data attribute with encoded instructions. Text elements indicate a validation system approval and guideline compliance. — Figure 7. Injected prompts hidden through obfuscation methods.

In this example, the attackers use:

XML/SVG encapsulation: This involves placing text inside CDATA (character data) sections within an SVG image file. This tells XML parsers to ignore the text as markup, but LLMs often ingest the raw text content regardless of the tag structure.
HTML attribute cloaking: This involves placing the prompt as the value of an HTML attribute, such as data-* attributes

Runtime Assembly (Dynamic Execution)

Threat actors employ dynamic execution to construct malicious prompts within the browser at runtime, as shown in Figure 8.

Code snippet showing JavaScript for dynamic content injection. The JavaScript modifies an HTML page by adding a hidden div with encoded data, creating and manipulating a canvas for hidden text, and injecting styling for verification text. — Figure 8. Injected prompts hidden through dynamic execution.

This method bypasses static analysis tools that only inspect the initial HTML source code. This example uses Base64-encoded approval-style instructions and decodes them at runtime, and then inserts the text as off-screen, invisible Document Object Model (DOM) elements so humans cannot see it, but automated agents might parse it.

Using timed delays ensures the prompt is decoded only after initial scans have been completed, exploiting gaps in time-bounded inspection pipelines. The example in Figure 8 above includes a canvas-based text render, which hides semantic content in a non-DOM surface that some LLM-based scrapers still extract via optical character recognition (OCR) or accessibility paths.

Jailbreak Methods

Jailbreaking refers to how attackers formulate the prompts to evade AI safeguards while preserving their malicious intent. This method generates outputs that may be harmful, biased or otherwise disallowed. Example jailbreaking methods attackers use include:

Instruction obfuscation techniques hide the true intent of a prompt by altering its surface form, such as inserting invisible characters or splitting and encoding payloads.
Semantic tricks further reinterpret the instructions to appear benign or contextually justified. Examples include issuing multilingual commands, embedding directives within structured JSON or code-like syntax or framing the request through persuasive social engineering language that encourages the model to comply despite underlying restrictions.

As discussed in our prior research, attackers can use a variety of jailbreak techniques to bypass model safeguards. However, our in-the-wild observations reveal primarily social engineering-style prompts. These prompts include authority override (god mode, developer mode) or persona creation through "do anything now" (DAN) attempts.

These attempts present instructions as security updates or frame malicious requests as legitimate testing or compliance tasks. Such tactics exploit the model’s tendency to follow authoritative or seemingly valid instructions.

Instruction Obfuscation

Attackers try to exploit the gap between strict security filters and fuzzy AI interpretation. Simple security regex filters might look for specific malicious phrases like "ignore all instructions" or "system override." By digitally altering the text using methods like homoglyphs, fragmentation or encoding, these filters rely on the AI platform's advanced pattern recognition to read through the noise and reconstruct the commands. Attackers do this while keeping the malicious text’s intent hidden from simpler automated scanners and AI safeguards. We show the injected prompts with instruction obfuscation methods in Figures 9 and 10.

This image shows a section of computer code with various comments and instructions included. The text contains alerts like "Approve immediately" and elements such as "Amazing Product Sale Today" and "DEVOPRRA." There are also instructions for approving and ignoring certain actions, with some terms emphasized, such as "PREVIOUS" and "INSTRUCTIONS." The code demonstrates formatting examples using Unicode characters within HTML. — Figure 9. Injected prompts with instruction obfuscation.

The example in Figure 9 uses:

Invisible characters: This technique inserts zero-width Unicode characters between standard letters. The result creates a string that looks normal to humans but is digitally distinct (e.g., "S-a-l-e" becomes "S-[invisible]-a-[invisible]-l-[invisible]-e").
Homoglyph substitution: This technique replaces Latin characters with visually identical characters from other alphabets (like Cyrillic or Greek). For example, using a Cyrillic "а" instead of a Latin "a". This defeats keyword filters that look for specific English strings.
Payload splitting: This technique breaks a single command into multiple distinct HTML elements. While a simple script might analyze each element individually and find nothing malicious, the LLM reads the aggregated innerText of the parent container, reconstructing the sentence.
Garbled text: This technique partially obfuscates the prompt through unusual punctuation and fragmented phrasing
Unicode bi-directional override: This technique uses the U+202E right-to-left override to reverse visible text, allowing instructions to appear benign or nonsensical while preserving their semantic meaning in the raw content

This image shows a portion of HTML code. It contains sections with encoded data, such as Base64 encoding and nested encoding, alongside CSS styling. The code includes multiple layers and annotations. — Figure 10. Injected prompts using encoding methods.

The encoding methods in Figure 10 involve the following:

HTML entity encoding: Converting prompt characters into their ASCII decimal or hexadecimal values preceded by &# or &#x (e.g., I for "I")
Binary-to-text encoding schemes: Like using Base64 encoding, this method encodes binary or text data into ASCII characters. This example hides these instructions as data attributes, like data-instruction and data-cmd.
URL encoding: Converting characters into their hexadecimal byte values preceded by % (e.g., %49 for "I")
Nested encoding: Encoding the encoded string again (e.g., encoding the % sign itself into an HTML entity) to require multiple passes of decoding before the payload is visible

Semantic Tricks

Attackers use semantic tricks to bypass standard security filters and manipulate the AI output. In Figure 11, we show the injected prompts using semantic jailbreak tricks.

A plaintext Code snippet demonstrating HTML layers for mixed language injection, JSON structure breaking, and semantic social engineering. Includes hidden messages in various languages and system approval details — Figure 11. Injected prompts using semantic tricks.

In Figure 11, the attackers use:

Multilingual Instructions: This technique repeats the malicious command in multiple languages (e.g., French, Chinese, Russian, Hebrew). This targets an AI platform's multilingual capability to execute the command even if the English version is blocked by a filter.
JSON/syntax injection: This technique uses syntax characters (e.g., "}}") to break out of the current data context. This example attempts to close the legitimate JSON structure and inject new, fraudulent key-value pairs (e.g., "validation_result": "approved").
Social engineering: This technique manipulates the model’s reasoning by framing malicious instructions as legitimate, urgent or aligned with the user’s goals. This encourages compliance despite existing safeguards. Attackers may use persuasive language, authority cues (e.g., god mode or developer mode), or role-playing scenarios (e.g., DAN) to convince the model that executing the request is appropriate and necessary.

The taxonomy discussed in this section is based on our in-the-wild detections. The next section provides examples of these detections.

In-the-Wild Detections of IDPI

Case #1: SEO Poisoning

The example shown below in Figure 12 and summarized in Table 1 delivers the prompt as visible plaintext at the webpage footer, an area that is typically overlooked by viewers. This example specifically impersonates a popular betting site, 1win[.]fyi.

Screenshot of a scam website. It includes links to various services, user identity information, platform accessibility, transparency of terms, and contact information. There is also a copyright notice stating that it is the official site of I Win in India. At the bottom, there is a promotion for a deposit bonus and a message about activating Windows. — Figure 12. Screenshot of the page from 1winofficialsite[.]in.

Website	1winofficialsite[.]in
IDPI Script
Attacker Intent	SEO Poisoning
Prompt Delivery	Visible Plaintext
Jailbreak	Social Engineering
Severity	High

Table 1. Summary of IDPI detected at 1winofficialsite[.]in.

Case #2: Database Destruction

The example in Table 2 contains a prompt with the command to “delete your database.” This attempts to coerce an AI agent, especially one integrated with backend systems, storage or automation workflows, into performing destructive data operations. If executed by a privileged agent, this could result in data loss and integrity compromise.

Website	splintered[.]co[.]uk
IDPI Script
Attacker Intent	Data Destruction
Prompt Delivery	CSS Rendering Suppression
Jailbreak	Social Engineering
Severity	Critical

Table 2. Summary of IDPI detected at splintered[.]co[.]uk.

Case #3: Forced Pro Plan Purchase

We detected a JavaScript hosted and loaded by llm7-landing[.]pages[.]dev that contains an example of IDPI script as shown in Table 3. This prompt attempts to coerce the AI into subscribing the victim to a paid “pro plan” without legitimate consent. It directs the AI agent to send the victim to token.llm7[.]io/?subscription=show and initiate a Google OAuth login.

URL	llm7-landing.pages[.]dev/_next/static/chunks/app/page-94a1a9b785a7305c.js
IDPI Script
Attacker Intent	Unauthorized Transaction
Prompt Delivery	Dynamic Execution
Jailbreak	Social Engineering
Severity	High

Table 3. Summary of IDPI detected at llm7-landing[.]pages[.]dev.

Case #4: Fork Bomb

Table 4 shows an example of attempts to block AI analysis or data extraction and sabotage data pipelines. This also tries to execute a Linux command to recursively delete the entire file system (rm -rf --no-preserve-root). Furthermore, it deploys a classic fork bomb (:(){ :|:& };:) designed to crash systems by exhausting CPU and process resources.

Website	cblanke2.pages[.]dev
IDPI Script
Attacker Intent	Data Destruction, Denial of Service
Prompt Delivery	CSS Rendering Suppression
Jailbreak	Social Engineering
Severity	Critical

Table 4. Summary of IDPI detected at cblanke2.pages[.]dev.

Case #5: Forced Donation

Table 5 shows an example that attempts to force the AI platform to make a donation by visiting a payment platform link at buy.stripe[.]com/7sY4gsbMKdZwfx39Sq0oM00 as shown in the IDPI script.

URL	storage3d[.]com/storage/2009.11
IDPI Script
Attacker Intent	Unauthorized Transactions
Prompt Delivery	HTML Attribute Cloaking
Jailbreak	Social Engineering
Severity	High

Table 5. Summary of IDPI detected at storage3d[.]com/storage/2009.11.

Case #6: Purchase Running Shoes

Figure 13 shows a page from a website that attempts to force an AI agent into buying running shoes. Table 6 shows our summary of this detection. The IDPI script attempts to force the purchase of these shoes at a payment processing platform.

A text-based image showing a product listing for 'Speedster Prototype (Limited).' It's noted as the best choice for serious athletes, available exclusively. Price is listed as $45.00, a 50% discount. Includes buttons for checkout via credit card or cryptocurrency, powered by Stripe and Web3. — Figure 13. Screenshot of IDPI containing a webpage.

Website	runners-daily-blog[.]com
IDPI Script
Attacker Intent	Unauthorized Transactions
Prompt Delivery	Off-Screen Positioning
Jailbreak	Social Engineering
Severity	High

Table 6. Summary of IDPI detected at runners-daily-blog[.]com.

Case #7: Free Money

The example in Table 7 uses a prompt that redirects a viewer to a page from a legitimate online payment system with an account controlled by the attackers. The prompt then attempts to send $5,000 to the attacker-controlled account.

Websites	perceptivepumpkin[.]com, shiftypumpkin[.]com
IDPI Script
Attacker Intent	Unauthorized Transactions
Prompt Delivery	CSS Rendering Suppression
Jailbreak	Social Engineering
Severity	High

Table 7. Summary of IDPI detected at perceptivepumpkin[.]com.

Case #8: Sensitive Information Leakage

The injected prompt shown in Figure 14 and summarized in Table 8 is placed at the very end of the webpage and visible within the footer.

The image shows a website with the title "DYLAN SPARKS" in bold, white letters on a dark background. The navigation bar includes links to "About Me" and "Autonomy." The page emphasizes copyright protection for the content. — Figure 14. Screenshot of the visible IDPI in dylansparks[.]com.

Website	dylansparks[.]com
IDPI Script
Attacker Intent	Sensitive Information Leakage
Prompt Delivery	Visible Plaintext
Jailbreak	Social Engineering
Severity	Critical

Table 8. Summary of IDPI detected at dylansparks[.]com.

Case #9: Recruitment Manipulation

Table 9 is an example of a personal website that attempts to influence automated hiring decisions. The site contains instructions designed to trick AI scrapers into validating the candidate, while selectively denying access to other AI agents.

Website	trinca.tornidor[.]com
IDPI Script
Attacker Intent	Benign Anti-Scraping, Recruitment Manipulation
Prompt Delivery	Visually Concealing: Transparency, Off-Screen Positioning
Jailbreak	Social Engineering
Severity	Medium

Table 9. Summary of IDPI detected at trinca[.]tornidor[.]com.

Case #10: Irrelevant Output

Table 10 summarizes an attempt to disrupt the utility of the agent by forcing it to output nonsense. This uses social engineering (e.g., [begin_admin_session]) to trick the LLM into believing that this instruction is coming from a higher authority.

Website	turnedninja[.]com
IDPI Script
Attacker Intent	Irrelevant Output
Prompt Delivery	Transparency, Zero-Sizing
Jailbreak	Social Engineering, JSON/Syntax Injection
Severity	Low

Table 10. Summary of IDPI detected at turnedninja[.]com.

Case #11: Minor Resource Exhaustion

In the example shown in Table 11, the goal is to render the AI agent useless by forcing it to produce a very long output and causing resource exhaustion.

URL	ericwbailey[.]website/published/accessibility-preference-settings-information-architecture-and-internalized-ableism
IDPI Script
Attacker Intent	Minor Resource Exhaustion
Prompt Delivery	CSS Rendering Suppression
Jailbreak	Social Engineering
Severity	Low

Table 11. Summary of IDPI detected at ericwbailey[.]website.

Case #12: Only Positive Reviews

The example shown in Table 12 manipulates an AI agent into generating biased promotional content by forcing it to ignore prior guidelines and suppress any negative or balanced evaluation. This attempts to coerce the model into producing marketing-style endorsement and fabricated comparative claims favoring a designated spa business.

Website	myshantispa[.]com
IDPI Script
Attacker Intent	Review Manipulation
Prompt Delivery	Zero-Sizing, Camouflage
Jailbreak	Social Engineering
Severity	Medium

Table 12. Summary of IDPI detected at myshantispa[.]com.

IDPI Trends on the Web

We provide a high-level view of how IDPI manifests across the web, helping to characterize common patterns in attack construction and intent. Understanding these trends is essential for prioritizing defenses and identifying the web ecosystems where such threats are most prevalent.

Distribution of Attacker Intents

Figure 15 shows the top attacker intents revealed by our telemetry review. The top three intents are as follows:

Irrelevant output (28.6%)
Data destruction (14.2%)
AI content moderation bypass (9.5%)

A pie chart illustrating the distribution of various security issues. Sections are labeled as follows: "Others" at 24.8%, "low-severity/irrelevant-output" at 28.6%, "medium-severity-ai-access-restriction" at 8.1%, "high-severity-seo-poisoning" at 8.1%, "high-severity-content-moderation-bypass" at 5.5%, "high-severity-unauthorized-transactions" at 6.2%, and "critical-severity-data-destruction" at 14.2%. — Figure 15. Distribution of IDPI attacker intents across our telemetry.

Distribution of Prompt Delivery Methods

We show the distribution of prompt delivery methods spotted in our telemetry in Figure 16, including the top three:

Visible plaintext (37.8%)
HTML attribute cloaking (19.8%)
CSS rendering suppression (16.9%)

A pie chart illustrating various methods for defeating web scraping. The largest section, labeled "visible/plaintext," comprises 37.8%. Other sections include "obfuscation/html-attribute-cloaking" at 18.6%, "visual-concealment/css-rendering-suppression" at 16.9%, "visual-concealment/camouflage" at 4.9%, "visual-concealment/zero-sizing" at 6.5%, "visual-concealment/off-screen-positioning" at 3.5%, and "Others" at 10.6%. — Figure 16. Distribution of IDPI delivery methods across our telemetry.

Distribution of Jailbreak Methods

The distribution of jailbreaking methods across our telemetry is depicted in Figure 17, with the top three methods as follows:

Social engineering (85.2%)
JSON/syntax injection (7.0%)
Multi-lingual instructions (2.1%)

A pie chart depicts various security vulnerabilities. The largest segment, covering 85.2%, is labeled "semantic-tricks:social-engineering." Other sections include "instruction-obfuscation:payload-splitting" at 1.8%, "instruction-obfuscation:garbled-text" at 1.8%, "semantic-tricks:multilingual-instructions" at 2.1%, and "semantic-tricks:json/syntax-injection" at 7.0%. Each segment is distinctively colored. — Figure 17. Distribution of IDPI jailbreak methods across our telemetry.

Distribution of eTLDs

We analyze the effective top-level domain (eTLD)+ distribution of the webpages containing IDPI in our telemetry. The top three eTLDs of IDPI containing URLs are as follows:

.com (73.2%)
.dev (4.3%)
.org (4.0%)

Distribution of Number of Injected Prompts Per Page

We analyze the number of injected prompts per webpage. Our results show that 75.8% of pages contained a single injected prompt, whereas the rest contained more than one injected prompt.

Defenses Against IDPI

A key cause for LLMs being susceptible to IDPI on the webpages is that LLMs cannot distinguish instructions from data inside a single context stream. The community has made several efforts to make systems and agents secure against IDPI. For example, spotlighting is one of the earliest prompt engineering techniques where untrusted text (i.e., web content) is separated from trusted instruction.

Furthermore, newer LLMs are hardened with techniques such as instruction hierarchy and adversarial training to reduce the known prompt injection threats to some extent. As a defense-in-depth strategy, it is further recommended to incorporate design-level defenses to further raise the bar for adversaries to succeed.

Conclusion

IDPI represents a fundamental shift in how attackers can influence AI systems. It moves from direct exploitation of software vulnerabilities to manipulation of the data and content AI models consume. Our findings demonstrate that attackers are already experimenting with diverse and creative techniques to exploit this new attack surface, often blending social engineering, search manipulation and technical evasion strategies.

The emergence of prompt delivery methods and previously undocumented attacker intents highlights how adversaries are rapidly adapting to AI-enabled ecosystems. They’re treating LLMs and AI agents as high-value targets that can amplify the reach and impact of malicious campaigns.

As AI becomes more deeply embedded in web applications and automated decision-making pipelines, defending against IDPI attacks will require security approaches that operate at scale. It will also require considering both the content and context in which prompts are delivered.

Detection systems (such as web crawlers, network analyzers or in-browser solutions) must evolve beyond simple pattern matching to incorporate intent analysis, prompt visibility assessment and behavioral correlation across telemetry sources. By establishing a taxonomy of real-world attacker behaviors and evasion strategies, we aim to help the security community better understand this emerging threat landscape. We also hope to accelerate the development of resilient defenses that allow organizations to safely harness the benefits of AI-driven technologies.

Palo Alto Networks researchers will continue to monitor and investigate IDPI attacks to better protect customers from them via Advanced URL Filtering, Advanced DNS Security, and Advanced Web Protection on Prisma Browser and Prisma AIRS.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
UK: +44.20.3743.3660
Europe and Middle East: +31.20.299.3130
Asia: +65.6983.8730
Japan: +81.50.1790.0200
Australia: +61.2.4062.7950
India: 000 800 050 45107
South Korea: +82.080.467.8774

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

Websites and URLs containing IDPI

1winofficialsite[.]in
cblanke2.pages[.]dev
dylansparks[.]com
ericwbailey[.]website/published/accessibility-preference-settings-information-architecture-and-internalized-ableism
leroibear[.]com
llm7-landing.pages[.]dev/_next/static/chunks/app/page-94a1a9b785a7305c.js
myshantispa[.]com
perceptivepumpkin[.]com
reviewerpress[.]com/advertorial-maxvision-can/?lang=en
reviewerpressus.mycartpanda[.]com
shiftypumpkin[.]com
splintered[.]co[.]uk
storage3d[.]com/storage/2009.11
trinca.tornidor[.]com
turnedninja[.]com
runners-daily-blog[.]com

Payment processing URLs used by websites containing IDPI

buy.stripe[.]com/7sY4gsbMKdZwfx39Sq0oM00
buy.stripe[.]com/9B600jaQo3QC4rU3beg7e02
paypal[.]me/shiftypumpkin

Additional Resources

LLM Prompt Injection Prevention Cheat Sheet - OWASP Cheat Sheet Series
How Prompt Attacks Exploit GenAI and How to Fight Back - Palo Alto Networks, Unit42
The Risks of Code Assistant LLMs: Harmful Content, Misuse and Deception - Palo Alto Networks, Unit42