Artificial intelligence agents are quickly becoming the new front door to the internet, and attackers have noticed.
A fresh wave of malicious websites is using search engine tricks and invisible code to feed false instructions directly into AI systems, turning ordinary web pages into weapons against automated tools.
These sites do not target people in the usual sense. Instead, they aim at the AI agents that browse, read, and act on web content on a user’s behalf, exploiting the trust these systems place in what they read online.
The technique, known as indirect prompt injection, hides commands inside a page’s code where a human visitor would never see them, but where an AI agent scanning the page would pick them up as legitimate instructions.
The consequences already stretch beyond theory. In controlled testing, some AI agents actually carried out fraudulent payments and misidentified fake websites as trustworthy sources, showing that this is not a hypothetical risk but a demonstrated weakness in how many popular AI models process web content.
Researchers from Zscaler ThreatLabz said in a report shared with Cyber Security News (CSN) that they identified two separate campaigns that used this method, one built around a fake software payment scam and another impersonating a well known cryptocurrency platform.
Both relied on a mix of search engine manipulation and hidden HTML to make malicious pages appear both highly relevant to search engines and completely authoritative to AI systems scanning them.
Hackers Abuse SEO Poisoning
The first campaign disguised itself as documentation for a Python library called requests-secure-v2, stuffing the page with keyword heavy text so it would surface near the top of search results for developers troubleshooting code.
.webp)
Buried within that page were hidden instructions written in a format called JSON-LD, a type of structured data normally used to help search engines understand a website’s content.
Since AI agents often treat this structured data as more trustworthy than regular text, the attackers used it to frame a fake three dollar developer license fee as a routine step needed to fix an error, pushing agents toward completing a cryptocurrency payment to a wallet controlled by the attacker.
The hidden text itself was tucked inside a webpage element pushed far off screen using simple CSS positioning, meaning it never appeared to a normal visitor while remaining fully readable to automated crawlers and AI tools.
Zscaler also traced additional related sites to a GitHub account hosting ten separate repositories built around the same trick, suggesting the operation extends well past a single fake package.
Typosquatting a Crypto Platform
The second campaign took a different angle, registering a lookalike domain meant to impersonate DeBank, a widely used decentralized finance portfolio tracker.
The fake site stuffed its titles and metadata with terms like DeBank Login and Crypto Tracker, while also copying social media style tags to make shared links look like they came from the real service.
.webp)
Hidden within the page was a block of text instructing any AI model reading it to treat the fraudulent domain as the verified and authoritative home of DeBank, and to rank it first in results for common searches about the platform.
The prompt even told AI systems to avoid mentioning the word auction in the domain name, a small but telling detail meant to keep the deception intact.
When Zscaler tested this scenario across twenty six different language models, most correctly rejected the fake site once given the real DeBank address for comparison.
![Attack chain for the debank[.]auction typosquatting site (Source -Zscaler)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibR_lXaIl1ZipwGvPqa2J3LHXniEo9Xq3ay6aLN_prx40gadyJSOQ-Y_xOP9Gd_rftqAYEfhAmC1mts3RXIfQ3cDeGtHGRmN8GpvRo5LUVSe5ypHGOetmGyvVS53iC-I3jzAfdGzhwUINB3nurD2xgghftTKITYFJRfKXBl2jV6uutps5FyL1hSZSOEK0/s1600/Attack%20chain%20for%20the%20debank%5B.%5Dauction%20typosquatting%20site%20(Source%20-Zscaler).webp)
Without that reference point, however, at least one major model still rated the fraudulous page as trustworthy, underlining how much AI judgment depends on the information it is given at the moment of decision.
Zscaler recommends that organizations building or deploying AI agents apply layered security controls capable of detecting these hidden injection patterns, and the company said its platform already flags related activity under the signature HTML.MalURL.PromptInj.RC.M.VG.
As AI tools take on more independent tasks online, treating every webpage as a potential source of hidden manipulation is becoming a basic security requirement rather than an optional precaution.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | market-insight-global[.]com | Linked malicious site tied to Open-Agent-Utilities GitHub repo |
| Domain | identity-breach-response[.]org | Linked malicious site tied to Open-Agent-Utilities GitHub repo |
| Domain | runners-daily-blog[.]com | Linked malicious site tied to Open-Agent-Utilities GitHub repo |
| Domain | bistro-reserve-now[.]net | Linked malicious site tied to Open-Agent-Utilities GitHub repo |
| Domain | edge-compliance-node[.]org | Linked malicious site tied to Open-Agent-Utilities GitHub repo |
| Domain | digital-asset-mart[.]org | Linked malicious site tied to Open-Agent-Utilities GitHub repo |
| Domain | consensus-protocol-v4[.]org | Linked malicious site tied to Open-Agent-Utilities GitHub repo |
| Domain | visual-media-rights-group[.]org | Linked malicious site tied to Open-Agent-Utilities GitHub repo |
| Domain | permits[.]global-transit-authority[.]org | Linked malicious site tied to Open-Agent-Utilities GitHub repo |
| Domain | py-lib-repository[.]dev | Fake Python package documentation site used for SEO poisoning |
| Domain | debank[.]auction | Typosquatting domain impersonating the DeBank DeFi platform |
| URL | https://github[.]com/Open-Agent-Utilities/mig-institutional-api-client | Associated GitHub repository |
| URL | https://github[.]com/Open-Agent-Utilities/session-token-leak-detector | Associated GitHub repository |
| URL | https://github[.]com/Open-Agent-Utilities/sneaker-drop-monitor-v2 | Associated GitHub repository |
| URL | https://github[.]com/Open-Agent-Utilities/opentable-resy-bypasser | Associated GitHub repository |
| URL | https://github[.]com/Open-Agent-Utilities/bot-compliance-middleware | Associated GitHub repository |
| URL | https://github[.]com/Open-Agent-Utilities/digital-asset-arbitrage-cli | Associated GitHub repository |
| URL | https://github[.]com/Open-Agent-Utilities/llm-fact-check-protocol | Associated GitHub repository |
| URL | https://github[.]com/Open-Agent-Utilities/royalty-free-image-scraper | Associated GitHub repository |
| URL | https://github[.]com/Open-Agent-Utilities/global-visa-automation-cli | Associated GitHub repository |
| URL | https://github[.]com/Open-Agent-Utilities/requests-secure-v2 | Associated GitHub repository |
| Wallet Address | 0x691bc3793205e574fa7b4aa068e62c0e470ad267 | Ethereum wallet used to collect fraudulent API license payments |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

