AI agents treat all content uniformly as context, collapsing the traditional security boundary between data and commands that existing security stacks depend on. Researchers have documented a 32% surge in indirect prompt injection (IPI) attacks across billions of web pages, with…
Enterprise security was built on a principle that AI has quietly broken: the idea that instructions and information arrive from separate, trusted channels. A web page is data. A command is something a user types. AI agents do not make that distinction. They treat everything in a document, an email, or a webpage as context for their task. That architectural assumption, baked into every major security stack, is now a live attack surface. Google Threat Intelligence found a 32 percent jump in attacks exploiting it between November 2025 and February 2026, across versions of the Common Crawl archive containing 2 to 3 billion pages.
Forcepoint X-Labs found the evidence that the attacks are not theoretical. The security firm's threat hunters found 10 verified payloads hidden on real web infrastructure, live, deployed, and waiting. One was built to steal secret API keys from whatever system an agent runs on. One attempted to send $5,000 through a PayPal.me link with instructions for manual completion. One carried a command to recursively delete files. Infosecurity Magazine and Help Net Security both reported the PayPal payload in detail. To a human reading the page, nothing looked wrong. To the agent that fetched it, the hidden commands were part of the job.
The attack technique has a name: indirect prompt injection (IPI). Attackers hide instructions inside content using single-pixel text, near-transparent color, CSS display:none, HTML comments, or metadata tags, visible to AI scrapers but invisible to human reviewers. When an agent reads the page, it processes the hidden commands as part of its task, fully within normal operation. Traditional security scanning cannot see them because the content itself is not malicious, only the instructions buried inside it. The threat scales with what the agent can access: a browsing AI that only summarizes articles is low-risk if compromised, but an agent that can send emails, execute terminal commands, or process payments becomes a high-value target with access to whatever systems the company gave it.
Forcepoint found the same injection template across multiple domains, suggesting organized tooling rather than scattered individual experiments. An attacker who builds the infrastructure once can reuse it across campaigns at scale. Palo Alto Unit 42 identified 22 distinct techniques used in the wild, including a method specifically designed to evade AI-based ad review systems. The Perplexity Comet incident showed how one version of the attack works in practice. Attackers hid invisible text inside a public Reddit post. When Comet's AI summarizer fetched the page, it read the hidden instructions, extracted the user's one-time password, and sent it to an attacker-controlled server.
Security vendor Lakera, which makes Gandalf and Agent Breaker, sees millions of adversarial prompt injection attempts across enterprise deployments, according to its blog. The absolute number of attacks remains small compared to other categories of cybercrime. What changed is that the infrastructure to exploit agents at scale is now live and organized.
The bigger question is what enterprises actually deployed. Most security tools were not built to monitor what AI agents do with the web pages they read or the emails they access. The activity happens inside the model's context window, the working memory where it processes everything it reads. That behavior is invisible to existing logging and policy controls. Security teams running agentic workflows have less visibility into what their agents are actually executing than they do into what their employees do on corporate laptops.
No major enterprise has publicly disclosed a breach from indirect prompt injection. The payloads exist in the wild. Documented cases of active exploitation inside corporate environments have not yet surfaced. That gap between deployed infrastructure and confirmed breach is what security teams are watching.
What to watch next is whether any major cloud provider or AI lab announces a product-level mitigation, and whether enterprise security stacks begin treating AI agent traffic the way they treat employee web browsers, with monitoring, logging, and explicit policy controls. The attack surface is real and growing. The defenses are not there yet.