Security teams at Google DeepMind and Forcepoint have documented a fast-emerging threat to autonomous AI systems: ordinary web pages are being weaponized to steer agents into unauthorized actions. Between April 20 and April 27, 2026, coordinated analyses showed malicious pages being used in the wild to manipulate agent behavior, including payloads designed around payment execution and large-scale data exfiltration.
The risk is acute because agentic systems often operate with valid service credentials. If a compromised browsing session leads an agent to send money, trigger commands or expose data, the resulting activity can appear routine in logs, even when the underlying instruction came from hidden web content.
Hidden Instructions Become an Attack Surface
Google DeepMind described the threat through a framework called “AI Agent Traps,” mapping how normal-looking web content can conceal instructions that redirect autonomous workflows. Forcepoint researchers separately verified ten indirect prompt injection payloads active in the wild, moving the concern from theoretical research into live operational risk.
The techniques are designed to evade human review while remaining readable to AI systems. Reported examples included single-pixel hidden text, HTML comments invisible to users but parsed by agents, steganographic instructions embedded in images and fully specified payment URLs built to auto-complete transactions.
Forcepoint also documented payloads involving complete payment instructions, including a $5,000 PayPal.me transfer and Stripe donation links, aimed at agents with integrated payment capabilities. That turns web browsing into a potential transaction-control problem, especially for firms connecting agents to financial systems, enterprise platforms or privileged internal tools.
Google Threat Intelligence reported a 32% rise in malicious indirect prompt injection activity between November 2025 and February 2026. That trend suggests the latest findings are not isolated experiments, but part of a broader shift toward exploiting agentic workflows at scale.
Payment Authority Requires Stronger Runtime Controls
The operational problem is straightforward. An agent with legitimate credentials and authority to execute payments or terminal commands can be manipulated by hostile web content into taking unauthorized actions. Because the agent is authenticated, those actions may blend into standard audit trails.
OWASP’s classification of prompt injection as LLM01:2025 already places the issue high on secure-development agendas. The recent field reports add urgency for product, security and compliance teams, particularly where agents have access to payment rails, customer data or administrative systems.
Liability remains unresolved. There is no clear legal framework assigning responsibility when an AI-driven transaction is compromised through hidden web instructions. That uncertainty leaves firms exposed to financial loss, regulatory scrutiny and post-incident disputes over whether the failure sat with the model, the platform, the user or the organization deploying the agent.
Short-term defenses should focus on reducing agent authority. Payment execution should require explicit human confirmation, agent privileges should be narrowly scoped, and telemetry should link agent decisions back to the original web content that influenced them. Monitoring alone is unlikely to be enough when malicious instructions are designed to look like normal page elements.
For financial institutions, payment processors and enterprise platforms, agent access to money movement should now be treated as a high-risk capability. The immediate priority is to reassess deployment policies, logging, approval flows and legal exposure before a hidden prompt becomes a live financial loss.