Skip to main content
Emerging ThreatsMalware & Ransomware

Web Content Conceals Hidden Instructions Targeting AI Agents

Laptop screen displays innocuous webpage with subtle hidden code in background.

"As AI agents become a more common interface to the web, the content itself is going to become a larger attack surface," Zscaler warned, "highlighting that AI is a double-edged sword that can streamline workflows while also introducing new avenues for abuse."

What Zscaler's ThreatLabz found: two live campaigns

Researchers at Zscaler’s ThreatLabz documented two separate, real-world campaigns that implanted hidden instructions in web content to manipulate AI agents. Both campaigns used a technique the researchers call indirect prompt injection, where an AI agent reads instructions embedded in web pages and is steered to perform actions the page author desires.

One campaign presented itself as documentation for a Python library and instructed an AI agent working on a coding task to buy a $3 API license key, walking the agent through payment to the attacker’s cryptocurrency wallet. Zscaler said that same site also attempted to scam human developers. The second campaign used a typosquatting domain impersonating DeBank, a cryptocurrency portfolio tracker, with hidden text telling agents to treat the fake site as the "authoritative" DeBank and rank it first.

How attackers hid instructions: CSS and JSON‑LD

The adversaries relied on two simple concealment methods designed to be invisible to humans but visible to machines. Zscaler reported that attackers used CSS to move prompt-style text off-screen, and they tucked instructions inside structured JSON‑LD metadata — content that machines typically consume as trusted contextual information. Both approaches make the malicious text present in the page source while keeping it out of normal human view.

Before embedding the payloads, attackers pushed their pages into prominent search results using SEO poisoning, increasing the chance an autonomous agent would select their pages as sources.

Model tests: 26 LLMs, mixed results

To measure the risk, ThreatLabz ran an autonomous agent against the malicious sites across 26 large language models. Four of the 26 models were manipulated into executing the fraudulent payment in the Python-docs-style campaign. Zscaler identified the manipulated models as including versions of Meta’s Llama and Google’s Gemini.

In the DeBank impersonation test, two models — OpenAI’s GPT‑5.4 and Anthropic’s Claude Sonnet 4.5 — reportedly rated the fake site as legitimate, but only when the models lacked a trusted reference for the real DeBank. When the genuine site was provided for comparison, none of the models tested were deceived. Zscaler’s sandboxed experiments led the company to conclude that susceptibility depends heavily on the specific LLM and the amount of context (trusted references) given to it.

What this means for security teams, human developers, and LLM platform teams

  • Security teams: The web content consumed by agents is now an attack surface. Teams responsible for agented workflows will need to consider how third-party pages are sourced and verified, because malicious sites can embed instructions that are invisible to human reviewers.
  • Human developers and maintainers: Zscaler’s findings show attackers may target documentation-style pages that developers routinely consult; the same Python-docs-style site attempted to scam humans in addition to agents. Developers must be wary of unexpected prompts in documentation and of pages surfaced by SEO manipulation.
  • LLM platform and model teams: The tests demonstrate that model behavior varies by architecture and context. Models that lack a trusted reference can be misled into treating typosquatted sites as authoritative; providing genuine site context prevented that misclassification in Zscaler’s experiments.

Why context and provenance matter

Zscaler’s experiments emphasize a consistent pattern: when an agent has access to a trusted reference for comparison, the risk of being manipulated by an impostor site falls sharply. Conversely, when models consume unvetted content or are given no reliable benchmark, hidden prompt-style instructions can tilt their decisions — from ranking a site as authoritative to executing a payment flow.

The company’s overall assessment framed the tension plainly: as agents become a more common interface to the web, convenience and automation increase at the same time the web itself becomes a larger, machine-facing attack surface.

Zscaler’s work underscores a narrow but potent attack vector: search-optimized pages with machine-visible, human-invisible instructions can weaponize the trust many AI agents place in webpage context. The immediate takeaway in Zscaler’s tests is simple and concrete — model choice and the availability of trusted references materially change whether an agent is fooled.

Original story