
HIDDEN prompts injected into malicious websites have been shown to trick AI agents into making fraudulent payments, according to research from Zscaler ThreatLabz. The technique, known as indirect prompt injection, conceals malicious instructions within ordinary web content.
The first campaign uses a fake Python library that hides instructions in HTML and JSON‑LD metadata, causing coding assistants to authorise a three‑pound fee as detailed by Zscaler. The second campaign relies on typosquatting, mimicking the DeBank crypto tracker and using SEO poisoning to lure AI agents into treating the spoofed site as legitimate.
Zscaler’s testing showed that several large language models failed to detect the hidden prompts and some agents proceeded to transfer the requested amount according to Security Affairs.
The attacks were observed in the wild between 6 July 2026, with no specific threat actor identified so far as reported by Security Week.
These incidents illustrate how indirect prompt injection can subvert the safety guards built into AI assistants, turning them into unwitting conduits for financial fraud. As AI agents become more embedded in automated workflows, the abuse surface expands, prompting calls for stricter input validation and tighter controls on payment capabilities.
Defenders should limit the websites that AI agents can reach, enforce allowlists for trusted domains and monitor outbound payment requests for anomalies. Additionally, organisations ought to sanitise any external content fed into language models and review the logic that authorises financial transactions.