Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Home/Threats/AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
Threats

AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents

Key Takeaways Threat actors are actively using SEO poisoning and hidden HTML to manipulate AI agents. This “indirect prompt injection” technique exploits how AI models process web...

Marcus Rodriguez
Marcus Rodriguez
July 3, 2026 4 Min Read
3 0

Key Takeaways

  • Threat actors are actively using SEO poisoning and hidden HTML to manipulate AI agents.
  • This “indirect prompt injection” technique exploits how AI models process web content, making them execute malicious instructions.
  • Two distinct campaigns were identified: one involving a fake software payment scam and another impersonating a cryptocurrency platform.
  • AI agents, in testing, performed fraudulent payments and misidentified fake sites as legitimate.
  • Organizations deploying AI agents must implement robust security controls to detect hidden injection patterns.

As artificial intelligence agents increasingly serve as the primary gateway to online information and services, cyber attackers are rapidly adapting their tactics to target these automated systems. A new and concerning trend involves the use of sophisticated SEO manipulation and concealed code within websites to deliver malicious directives directly to AI models. This transforms seemingly innocuous web pages into potent tools for subverting AI-driven actions.

Table Of Content

  • Key Takeaways
  • Hackers Abuse SEO Poisoning
  • Typosquatting a Crypto Platform
  • What You Should Do

Unlike traditional cyberattacks that focus on human users, these campaigns specifically target AI agents that browse, interpret, and act upon web content on behalf of a user. The attackers exploit the inherent trust AI systems place in the information they gather from the internet, leading to potentially severe consequences.

This method, known as indirect prompt injection, involves embedding hidden commands within a webpage’s underlying code. These instructions are designed to be imperceptible to a human visitor but are readily detected and processed by an AI agent scanning the page, which then interprets them as legitimate operational directives. Controlled experiments have already demonstrated the practical dangers of this technique. Some AI agents were observed initiating fraudulent payments and erroneously validating counterfeit websites as trustworthy sources, confirming that this is not merely a theoretical vulnerability but a proven flaw in how many prevalent AI models handle web-based data.

Researchers from Zscaler ThreatLabz said in a report shared with Cyber Security News (CSN) that their investigations uncovered two distinct campaigns employing this strategy. One scheme revolved around a deceptive software payment operation, while the other mimicked a prominent cryptocurrency platform. Both attacks leveraged a combination of search engine optimization (SEO) poisoning and hidden HTML elements to ensure their malicious pages ranked highly in search results and were perceived as authoritative by AI systems during content scraping.

Hackers Abuse SEO Poisoning

The first identified campaign masqueraded as official documentation for a Python library named “requests-secure-v2.” The attackers heavily infused the webpage with keywords relevant to developers seeking code troubleshooting solutions, aiming to push the malicious page to the top of search engine results.

Within this seemingly legitimate documentation, hidden instructions were embedded using JSON-LD, a structured data format typically used by search engines to better understand a website’s content. Recognizing that AI agents often assign higher trustworthiness to structured data than to plain text, the attackers exploited this to present a fake $3 developer license fee as a necessary step to resolve a coding error. This manipulation effectively directed AI agents toward initiating a cryptocurrency payment to an Ethereum wallet, 0x691bc3793205e574fa7b4aa068e62c0e470ad267, under the control of the threat actors.

The deceptive text itself was ingeniously concealed within a webpage element positioned off-screen using basic CSS, rendering it invisible to human users while remaining fully accessible to automated crawlers and AI tools. Zscaler’s analysis further revealed that additional related sites were linked to a GitHub account hosting ten separate repositories, all utilizing the same deceptive technique. This suggests a broader operation extending beyond a single fake software package, with domains like market-insight-global[.]com, identity-breach-response[.]org, and py-lib-repository[.]dev among the indicators of compromise.

Typosquatting a Crypto Platform

The second campaign adopted a different approach, registering a typosquatting domain, debank[.]auction, designed to imitate DeBank, a popular decentralized finance (DeFi) portfolio tracker. The fraudulent site strategically populated its titles and metadata with terms such as “DeBank Login” and “Crypto Tracker.” It also replicated social media-style tags to make shared links appear as if they originated from the authentic DeBank service.

A crucial element of this attack was a hidden block of text within the page that explicitly instructed any AI model reading it to consider the fraudulent domain as the verified and authoritative source for DeBank. The prompt even directed AI systems to prioritize this fake site in search results for common queries related to the platform. A subtle but revealing detail in the prompt was the instruction for AI systems to omit the word “auction” when referencing the domain name, a clear attempt to maintain the illusion of legitimacy.

Zscaler conducted tests across twenty-six different language models to evaluate the effectiveness of this deception. When provided with the genuine DeBank address for comparison, most models successfully identified and rejected the fake site. However, in the absence of this crucial reference point, at least one major AI model still deemed the fraudulent page trustworthy. This outcome underscores the significant dependency of AI judgment on the immediate information it processes at the point of decision.

What You Should Do

  • Implement Layered Security: Organizations developing or deploying AI agents must integrate layered security controls capable of detecting and mitigating these indirect prompt injection patterns.
  • Content Validation: Enhance AI agent capabilities to rigorously validate the authenticity and authority of web content, especially when encountering structured data or hidden HTML elements.
  • Cross-Referencing: Program AI agents to cross-reference information with multiple trusted sources before executing any instructions or making judgments based on web content.
  • Anomaly Detection: Deploy AI-specific anomaly detection systems to identify unusual behaviors or outputs from AI agents that might indicate manipulation.
  • Stay Updated: Monitor threat intelligence feeds for new prompt injection techniques and ensure AI models and security systems are updated accordingly. Zscaler’s platform, for instance, already flags related activity under the signature HTML.MalURL.PromptInj.RC.M.VG.

As AI tools become increasingly autonomous in their online operations, the imperative to treat every webpage as a potential source of hidden manipulation transitions from a cautious recommendation to a fundamental security requirement.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitHackerSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Nebula AI Platform Automates Pen Testing to Find Vulnerabilities

Next Post

Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us