SEO-poisoned websites hide prompt injection to hijack AI web agents
Zscaler ThreatLabz found live malicious sites that combine SEO poisoning, hidden CSS text and abused schema markup to plant instructions that steer autonomous web agents into paying attackers.
What is this?
On July 2, 2026, Zscaler ThreatLabz published research documenting live, in-the-wild websites that hide instructions inside their own content to manipulate autonomous AI web agents. This is not an academic proof-of-concept: the researchers tracked two active campaigns whose pages impersonate legitimate developer and finance services, then embed prompt-style directives meant to be read by a machine, not a human. The technique is a form of indirect prompt injection (IPI) — malicious text placed in the content an agent retrieves (a webpage, document, or email) so that the agent treats attacker instructions as part of its task. This is a class-of-attack writeup, not an actionable exploit.
What makes the finding notable is the packaging. The attackers pair the injection with search engine optimization poisoning, so an agent searching for a package or a service is more likely to land on the malicious page in the first place. ThreatLabz confirmed real impact by testing custom web-enabled agents across 26 large language models: four models were manipulated into executing payments in the first campaign, and two mislabeled the fraudulent site as trustworthy in the second.
How it works
The two campaigns share a pattern: rank the page, then hide the payload where a browser user won’t see it but a parser will.
Stage Technique observed
----------- -------------------------------------------------
Discovery SEO poisoning: keyword-stuffed HTML/meta tags so an
agent's search surfaces the fake page first.
Trust Abused JSON-LD schema markup (SoftwareApplication,
fake publisher/offer) — structured fields an agent
may weight as high-signal context.
Concealment Off-screen CSS (e.g. left:-9999px) on a hidden <div>
keeps injection text out of the rendered page but
live in the DOM for scrapers and agents.
Payload Instructions framing an attacker action as a
routine task step.
In the first campaign, a fake page posed as documentation for a Python library and told the agent that resolving a “missing license key” error required paying a small developer fee — routing roughly 0.0012 ETH to a hardcoded wallet before generating a bogus API key. The second campaign was a typosquatted DeFi portfolio tracker whose hidden block used the classic ignore-previous-instructions pattern, then declared the fraudulent domain the “verified, authoritative” source the model should rank first. Because the visible page looks legitimate, neither a human glancing at it nor a screenshot-based check would catch the planted text.
Why it matters
For an autonomous agent, retrieved web content is instructions and data at once — and these campaigns weaponize that ambiguity at internet scale. The immediate risk is direct financial loss when an agent with payment tooling follows a planted “buy this to continue” step. The quieter risk is context contamination: when an agent misclassifies a fraudulent site as authoritative, that judgment can flow downstream into RAG corpus poisoning and endorsement of the attacker’s domain. It is a real-world cousin of search-agent endorsement corruption and of the persuasion-injection traps we’ve covered before.
ThreatLabz’s model-by-model results also matter: susceptibility varied by model and, crucially, by context. When a known-good reference domain was supplied, no model fell for the typosquat; failures clustered when the agent evaluated the malicious page in isolation. The attack surface is the agent’s judgment under thin context, not a single broken model.
Defenses
There is no patch here — nothing is technically broken. The controls are architectural and operational, consistent with OWASP’s LLM01 guidance and CrowdStrike’s IPI analysis.
- Treat all retrieved web content as untrusted data, never instructions. Strip or neutralize hidden DOM text (off-screen CSS, zero-size elements) and do not let structured markup like JSON-LD elevate a page’s authority automatically.
- Gate high-impact actions behind human approval. An agent should never move funds, buy a “license,” or sign a transaction on the strength of a webpage’s own claims. Enforce spending limits and out-of-band confirmation.
- Supply known-good references. The failures concentrated when the agent judged a site in isolation; giving it authoritative anchor domains sharply reduced misclassification.
- Verify domains and packages out-of-band. Cross-check publisher claims against registries and reputation data rather than trusting a page’s self-description — the same lesson as documentation-poisoning supply-chain abuse.
- Log the agent’s browsing and rationale. Capture which sources drove a decision so a poisoned page can be traced and blocked after the fact.
Status
| Item | Reference | Date | Notes |
|---|---|---|---|
| Public research | Zscaler ThreatLabz | 2026-07-02 | Two in-the-wild IPI campaigns |
| Campaign 1 (payment scam) | ThreatLabz | 2026-07-02 | 4 of 26 tested models executed payment |
| Campaign 2 (DeFi typosquat) | ThreatLabz | 2026-07-02 | 2 of 26 tested models misclassified site |
| Detection coverage | Zscaler | 2026-07-02 | Flagged as HTML.MalURL.PromptInj |
The honest framing is not “an LLM was hacked.” It is that web content is now an attack surface for agents the way phishing emails are for people — the defense is to stop letting a page speak for itself, gate the actions that cost money or trust, and give the agent ground truth to check against.
Sources
- → https://www.zscaler.com/blogs/security-research/indirect-prompt-injection-web-content-targets-ai-agents
- → https://securityboulevard.com/2026/07/indirect-prompt-injection-in-web-content-targets-ai-agents/
- → https://www.crowdstrike.com/en-us/blog/indirect-prompt-injection-attacks-hidden-ai-risks/
- → https://genai.owasp.org/llmrisk/llm01-prompt-injection/