Google warns web pages poison agents

Indirect prompt injection is when a web page hides instructions for an artificial intelligence system, and the system mistakes them for orders. Google said on April 23 that this is already happening on the public web. (security.googleblog.com) Google’s Threat Intelligence teams said attackers are seeding malicious prompts into websites in hopes that AI agents will read them while browsing. The company based its study on Common Crawl, a public archive that captures monthly snapshots of 2 billion to 3 billion English-language web pages. (security.googleblog.com) The pages Google examined were mostly static sites such as blogs, forums, and comment sections, not social media feeds behind login walls. Google said the share of pages it classified as malicious rose 32% between November 2025 and February 2026. (security.googleblog.com) (securityweek.com) This attack works because an agent that reads the web has to mix user requests with untrusted page content. If the system does not keep those boundaries separate, a hidden line on a page can override the user’s intent and steer the agent toward a different action. (security.googleblog.com 1) (security.googleblog.com 2) Google said the risk grows with the agent’s privileges. An assistant that only summarizes text may produce bad output, but an agent that can send email, access files, or move money can do real damage if it follows poisoned instructions. (security.googleblog.com 1) (security.googleblog.com 2) Outside Google, Forcepoint X-Labs said it found 10 verified indirect prompt-injection payloads on live websites this month. The examples included prompts aimed at financial fraud, data destruction, application programming interface key theft, and denial-of-service attacks. (forcepoint.com) (infosecurity-magazine.com) One reported payload embedded PayPal transfer instructions in ordinary HTML for an agent with payment access. Others used tricks such as tiny fonts, near-transparent text, metadata, or hidden comments that a human visitor would likely miss but a model could still read. (decrypt.co) (forcepoint.com) Google’s response is a layered one rather than a single filter. The company has described prompt-injection classifiers, markdown sanitization, suspicious-URL redaction, user confirmation steps, and security notifications as part of its defenses for Gemini and Workspace. (security.googleblog.com 1) (security.googleblog.com 2) Google Cloud is also pushing Model Armor, a screening service that inspects prompts, responses, and agent interactions for prompt injection, sensitive data leaks, malicious files, and unsafe links. Google says the product now offers inline protection for Gemini Enterprise Agent Platform, LangChain, and other systems. (docs.cloud.google.com) (cloud.google.com) The warning changes the security model for companies building agents that browse the web. In Google’s framing, every page an agent reads has to be treated less like reference material and more like executable input from an untrusted stranger. (security.googleblog.com)