Agents
Unit 42 and Zscaler catch web-based indirect prompt injection tricking AI agents into crypto payments in the wild
Palo Alto Unit 42 documented two live campaigns that hide agent instructions across HTML body, JSON-LD, Open Graph tags, and off-screen CSS — one SEO-poisons results for a fake Python library ('requests-secure-v2') to make an agent send payment, the other pushes a fraudulent DeFi platform. In internal validation across 26 LLMs, 4 models failed to act safely on campaign 1 and 2 misclassified the site in campaign 2, so this is measured real-world impact, not a lab demo. This is the moment indirect prompt injection graduated from research toy to a monetized fraud primitive; any agent with browsing plus a payment/tool surface now needs content-provenance defenses, not just system-prompt hardening.
↳ Follow the thread