criticalPrompt injection·May 14, 2026

AGS-2026-0020

Web-based indirect prompt injection in agent browsing — observed in the wild (Unit 42)

What happened

Unit 42 observed live indirect-prompt-injection attacks against AI agents that browse the web. Pages contain hidden instructions (off-screen text, comments, image alt-text) that hijack the agent's reasoning when it reads them.

Observed outcomes: agents asked to 'summarize this article' instead exfiltrate the user's environment to an attacker-controlled URL, or call tools the user didn't request.

This is no longer a research curiosity — it's a deployed TTP.

Self-check

AgentGuard subscribers receive this advisory automatically and their local guard runs the inspection below.

References

https://unit42.paloaltonetworks.com/ai-agent-prompt-injection/