Google warns of poisoned AI agents

An AI agent is a chatbot with hands: it can read a web page, call a tool, and sometimes take an action for you. That makes a poisoned page more dangerous than a bad answer. (knowledge.workspace.google.com) (arxiv.org) Google’s Threat Intelligence Group said on April 23 that it found indirect prompt injection attacks on the public web, hidden in pages that AI systems may crawl and process. The team said it used Common Crawl snapshots, which cover 2 billion to 3 billion pages a month. (security.googleblog.com) Indirect prompt injection means the attacker does not talk to the model directly. The attacker hides instructions in a website, email or document, and the model may follow those instructions when it reads the content. (knowledge.workspace.google.com) (security.googleblog.com) Google said the web is a practical place to watch because attackers can seed pages and wait for agents to visit them. Its scan focused on static sites such as blogs, forums and comment sections, not most social media platforms behind logins. (security.googleblog.com) The company said malicious cases it identified increased 32% between November 2025 and February 2026. Google also said most of what it found was still low sophistication, with many examples looking like experiments, spam or proof-of-concept style payloads rather than polished campaigns. (securityweek.com) (security.googleblog.com) The risk changes when the model can do more than summarize text. A browsing agent that can open links, send email, or use internal tools can be pushed toward data theft, unauthorized actions, or bogus outputs. (knowledge.workspace.google.com) (arxiv.org) Google’s own security teams describe one common path as the “lethal trifecta”: the agent has access to secrets, the attacker can inject a prompt, and the system has some way to send the data out. In a March post, Google said URLs are a common exfiltration path because a model can be tricked into building a link that carries stolen data in its parameters. (bughunters.google.com) Google says it is trying to block that with layered defenses in Gemini and Workspace, including prompt-injection classifiers, URL checks, markdown sanitization, suspicious-link redaction, user confirmations and user-facing warnings. The company’s administrator guidance tells customers to treat external content as untrusted input. (knowledge.workspace.google.com) (bughunters.google.com) A separate Forcepoint X-Labs report published the same week said its researchers found 10 verified indirect prompt injection payloads on live websites. Forcepoint said the payloads sought outcomes including financial fraud, data destruction, API key theft and denial of service against AI systems. (forcepoint.com) The combined picture is that prompt injection has moved from lab demos to live web infrastructure, even if many attacks are still simple. For companies building browser-using or tool-using agents, the open web is now part of the threat model. (security.googleblog.com) (forcepoint.com)