Google warns web pages poison agents
- Google Threat Intelligence Group and Google DeepMind said on April 23 they found indirect prompt-injection payloads seeded across public web pages targeting AI agents. - Google scanned Common Crawl’s monthly archive of 2 billion to 3 billion pages and said malicious cases rose 32% from November to February. - The finding lands as Google pushes defense-in-depth for agents with least-privilege access, human approval and monitoring. (security.googleblog.com)
An AI agent can read a web page like a person reads a note, and attackers are hiding instructions inside those pages to steer the agent. Google said April 23 it is now seeing that tactic on the public web. (security.googleblog.com) Google’s Threat Intelligence Group and Google DeepMind said they scanned Common Crawl, a public archive of the web, to look for indirect prompt injection patterns. The archive contains monthly snapshots of roughly 2 billion to 3 billion pages. (security.googleblog.com) (commoncrawl.org) Indirect prompt injection is different from a user typing a jailbreak into a chatbot. The attack hides commands inside outside content such as a website, email or document, so the model may follow the attacker’s instructions while answering a normal user request. (security.googleblog.com 1) (security.googleblog.com 2) Google said the web scan found an upward trend even though many of the payloads were still low sophistication. The company reported a 32% relative increase in malicious examples between November 2025 and February 2026. (security.googleblog.com) That matters because newer AI systems do more than summarize text. Google’s own cloud documentation says agents connected to Model Context Protocol servers can take actions for users and may change resources in ways that are not reversible. (docs.cloud.google.com) Google’s security guidance splits those systems into two modes: human-in-the-middle, where a person approves each step, and agent-only, where the software acts without waiting. Google says the agent-only setup is vulnerable to prompt injection, insecure tool chaining and naive error handling. (docs.cloud.google.com) The company’s recommended defenses read more like classic enterprise security than chatbot tuning. Google says agents need separate identities, least-privilege permissions, clear separation between data and instructions, and monitoring of plans and actions. (docs.cloud.google.com) (research.google) Google has been building that case for more than a year. In January 2025 it described an internal framework for automatically red-teaming prompt injection attacks, and in April 2026 it said Workspace with Gemini treats indirect prompt injection as a continuing problem rather than a one-time fix. (security.googleblog.com 1) (security.googleblog.com 2) The new warning does not say the public web is overrun with advanced agent traps. It says attackers are already planting them where browsing agents can stumble into them, and Google expects that interest to keep rising. (security.googleblog.com)
