Google — 32% Rise in Indirect Prompt Injection Attacks Found Across Public Web
AI relevance: Google threat intelligence scanned billions of pages in the Common Crawl dataset and identified a 32% increase in malicious indirect prompt injection payloads embedded in public websites between November 2025 and February 2026 — the first large-scale measurement of this attack class in the wild.
What happened
- Google's threat intelligence team analyzed website snapshots from the Common Crawl archive, searching for known indirect prompt injection patterns hidden in HTML content.
- They used Gemini and human review to filter false positives, separating harmless pranks and SEO manipulation from genuine malicious payloads.
- Malicious injections fell into two categories: exfiltration (instructing AI to collect IPs, credentials, or internal data and send them to attacker-controlled endpoints) and destruction (instructing AI to delete files on the user's machine).
- Sophistication remains relatively low — Google found no evidence that attackers have productionized the advanced indirect prompt injection techniques published by security researchers in 2025.
- However, the 32% quarter-over-quarter increase signals that the threat is actively maturing. Google warns that both scale and sophistication are expected to grow.
- The scan also surfaced non-malicious use: some site owners embed AI-directed instructions to deter crawling, boost SEO rankings, or simply prank visiting agents.
- The full analysis was published on the Google Security Blog.
Why it matters
- This is the first quantitative, large-scale measurement of indirect prompt injection in production web content — moving the threat from theoretical to empirically observed.
- Current defense architectures (firewalls, EDR, IAM) are blind to these attacks because the agent uses legitimate credentials and authorized service accounts. The malicious action looks identical to normal operations.
- The gap between research-grade injection techniques (complex multi-step chains published in 2025) and what's in the wild is narrowing — and the upward trajectory means that gap may not last.
- Any enterprise AI agent that browses the public internet — for research, candidate screening, competitive analysis, or content summarization — is exposed to this threat by design.
What to do
- Deploy a dual-model architecture: use a small, isolated "sanitiser" model to fetch and strip external web content before passing plain-text summaries to your primary agent.
- Enforce strict tool compartmentalisation — agents that browse the public web should never also have write access to internal databases, email systems, or file stores.
- Implement audit trails that trace every AI decision back to its source data and URLs, enabling forensic analysis when an agent's behavior deviates from expected patterns.
- Treat public web content as untrusted input by default — apply the same input-sanitisation discipline to agent web browsing as you would to user-submitted form data.