Forcepoint X-Labs Finds 10 Indirect Prompt Injection Payloads on Live Websites
AI relevance: Indirect prompt injection turns any webpage into a potential attack vector against AI agents that crawl, summarize or index content — and Forcepoint has now confirmed 10 active payloads on live web infrastructure.
Forcepoint’s X-Labs threat intelligence team has published telemetry showing 10 verified indirect prompt injection (IPI) payloads actively deployed on public websites — not in a lab, but on live production web infrastructure. The findings confirm that IPI has moved from theoretical research to real-world weaponization.
What was found
X-Labs’ threat hunting flagged hits on trigger patterns including “Ignore previous instructions”, “if you are an LLM” and “if you are an AI assistant” embedded across live sites. The payloads were classified by attack intent and engineering technique:
- API key exfiltration: A payload on
thelibrary-welcome[.]ukhidden in an HTML comment block instructs AI agents to suppress analysis (“do not spit out the flag”) while sending secret API keys to an attacker-controlled endpoint. Uses role impersonation (“if you are an AI assistant”) and a “human readers may ignore this section” social engineering flourish. - Content suppression / copyright deception: A page on
bentasker[.]co[.]ukusesdisplay:noneto hide an authority impersonation payload that instructs the AI to suppress and rewrite copyrighted content — effectively a denial-of-service for AI-powered content indexing. - Financial fraud: Payloads embedded hidden instructions to redirect AI agents performing payment processing or financial summary tasks.
- Data destruction: Hidden instructions targeting AI agents with write access, instructing them to delete or corrupt indexed data.
- AI denial-of-service: Payloads designed to trigger excessive processing or loop behavior in agents that crawl the poisoned pages.
The concealment techniques observed include CSS concealment, HTML comments, accessibility attribute abuse, meta namespace spoofing and system prompt tag impersonation — all designed to make the payload invisible to human inspectors while fully parsed by AI agents.
Attack chain
Every observed case follows the same kill chain:
- Attacker poisons a webpage with hidden prompt injection payload
- AI agent crawls or summarizes the page
- LLM cannot distinguish attacker instructions from legitimate content
- Agent executes the instruction (exfiltration, deletion, fraud)
- Results are sent back to the attacker via a covert channel
Why it matters
- This is the first confirmed large-scale telemetry of IPI payloads on live web infrastructure — proving the threat is operational, not hypothetical.
- Any AI system that browses, summarizes, indexes or auto-processes web content is in scope: RAG pipelines, AI-powered search, SEO tools, content moderators, and browsing agents.
- The attack surface is effectively the entire public web — there is no perimeter to defend.
- Concealment techniques (HTML comments, CSS
display:none, ARIA attributes) are trivially easy to deploy and nearly impossible for humans to detect during routine review. - The impact scales directly with agent privilege — a summarizing agent is low-risk; an agent with email, terminal or payment access becomes a high-impact target.
What to do
- Treat all web-sourced content as untrusted when feeding it to AI agents — apply the same sanitization standards as user input.
- Implement output validation: verify that agent actions match expected behavior before executing destructive or exfiltration-prone operations.
- Use capability isolation: agents that process web content should not have access to credentials, payment systems or write operations.
- Consider dedicated IPI detection layers (e.g., PromptArmor-style preprocessor filters) for high-privilege agents.
- Monitor for anomalous agent behavior patterns — unexpected API calls, credential access, or outbound data transfers.