Complete IPI attack chain for this campaign | Image: Zscaler ThreatLabz
At a Glance
- Malware Family: Indirect Prompt Injection (IPI)
- Threat Actor: Suspected GitHub user (Open-Agent-Utilities)
- Target: Autonomous AI agents and LLMs
- Delivery Vector: SEO poisoning and Typosquatting
- Key Capabilities: Content manipulation, unauthorized transactions
- Source: Zscaler ThreatLabz
TL;DR
Indeed, threat actors now use malicious websites to attack automated systems. Specifically, they hide instructions inside web code to exploit AI agent vulnerabilities. Consequently, this indirect prompt injection aims to control the AI’s actions. Ultimately, the models execute commands hidden by the attackers.
Delivery
First, attackers use search engine optimization to rank their malicious pages highly. Additionally, they use typosquatting to mimic legitimate platforms. One campaign targets developers searching for a Python library called requests-secure-v2. Meanwhile, another campaign impersonates the decentralized finance tracker DeBank. As a result, this tricks search engines and AI models into trusting the fake sites. Attackers hide these traps inside JSON-LD structured data. Therefore, the systems read the malicious code while human users see normal web pages.
Infection Chain
Next, the process starts when an AI agent reads the poisoned webpage. For example, a hidden traceback layer contains direct commands. Then, the AI follows the hidden text. The report notes that indirect prompt injection is an example of attacks that embed malicious instructions in the content retrieved by an AI agent. Furthermore, the CSS styling keeps the text invisible to human visitors. Thus, the AI agent vulnerabilities are exposed without raising alarms.
Command-and-Control and Data-Exfiltration Behaviour
Instead of traditional networks, attackers force the AI to perform specific actions locally. Specifically, the first campaign attempts to steal cryptocurrency. Subsequently, the agent sends roughly 0.0012 Ethereum to a hardcoded wallet address. Conversely, the second campaign manipulates page rankings. The hidden instructions force the AI to declare the typosquatted domain as the official DeBank source. Consequently, these actions bypass standard security filters.
Defense or Detection Guidance
Therefore, organizations must secure their systems against these specific attacks. Furthermore, companies should implement strict validation for all web content retrieved by AI. Finally, monitor AI agents for unexpected monetary transactions. Security teams must isolate AI execution environments strictly to prevent unauthorized access.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.