DeepMind — 32% Surge in Malicious Prompt Injections Targets Payment Agents

AI relevance: AI agents with payment and API access are becoming the primary target of indirect prompt injection campaigns growing at 32% quarter-over-quarter, per Google DeepMind's large-scale web scan.

What happened

• Google DeepMind scanned billions of web pages across Common Crawl and found a 32% quarter-over-quarter increase in malicious indirect prompt injections between November 2025 and February 2026.
• Discovered payloads go beyond data exfiltration — several contained step-by-step payment instructions designed to execute when an AI agent with financial access reads the poisoned content.
• Academic researchers independently validated scale: a crawl of 1.2 billion URLs identified 15,300 pages with active prompt injection payloads across 11,000 distinct hosts.
• Unit 42 catalogued 22 unique delivery methods in the wild, including HTML comments, invisible CSS elements, meta tags, and aria attributes.
• Forcepoint X-Labs captured 10 live payload templates in normal traffic monitoring, with recurring trigger strings indicating shared attack templates rather than one-off improvisation.
• Delivery channels have expanded from emails and shared docs into README files, LICENSE.txt, and common code repositories — targeting AI coding assistants that read project files automatically.

Why it matters

The shift from experimental prompt injection to live, financially motivated campaigns marks a maturation of the threat. When attackers embed payment instructions rather than just exfiltration directives, the attack transitions from espionage to active fraud. The 32% quarterly growth rate suggests that indirect injection is now a scalable, repeatable attack vector rather than a niche technique. Combined with the explosion of agentic systems granted write access to financial and operational APIs, the surface area for profitable exploitation is widening faster than defenses.

What to do

• Restrict agent payment authority. Any agent with payment access should require explicit human confirmation for transactions above a minimal threshold. Implement per-transaction approval workflows.
• Scan content before ingestion. Deploy pre-model content filters that detect hidden HTML elements, off-screen CSS, and known trigger strings before passing content to LLM context windows.
• Treat all external content as untrusted. Apply strict least-privilege scoping to agent tool access. Separate instruction channels from data channels architecturally — don't flatten both into the same context window.
• Monitor for anomalous outbound requests. Alert on unexpected API calls, payment initiations, or data transfers triggered by agents processing external content.
• Audit agent-read file pipelines. Ensure AI coding assistants don't auto-execute instructions found in dependency files, READMEs, or third-party code comments without human review.

Sources

• GN Crypto — Prompt Injection Hijacks AI Chatbots: Security Risk (May 30, 2026)
• AI-CERTS — Prompt Injection Vulnerabilities Move From Lab To Live Attacks
• Forcepoint X-Labs — 10 Indirect Prompt Injection Payloads in the Wild