Forcepoint Uncovers 10 In-the-Wild Indirect Prompt Injection Payloads Targeting AI Agents
Forcepoint researchers have identified 10 real-world indirect prompt injection payloads that poison web content to hijack AI agents, enabling data theft, file destruction, and fraudulent payments.
Security researchers at Forcepoint have discovered 10 new indirect prompt injection (IPI) payloads actively targeting AI agents in the wild. These attacks poison web content so that when an AI agent crawls or summarizes a page, malicious instructions embedded in the content are executed as legitimate commands. The findings, published on April 22, 2026, highlight a growing threat to AI systems that browse the web, index content for RAG pipelines, or auto-process metadata.
The attack chain is straightforward: a threat actor poisons web content and hides a payload, then waits for an AI agent to interact with it. Once the agent ingests the page, it ignores previous instructions and follows the attacker's directives, often triggering real-world actions with a covert exfiltration channel back to the attacker. Forcepoint senior security researcher Mayur Sewani explained that the impact scales with AI privilege — a browser AI that can only summarize is low-risk, but an agentic AI with shell access or payment capabilities becomes a high-impact target.
Several of the discovered payloads are relatively innocuous, such as false copyright claims that instruct the AI to refuse answering user questions about the page's content, effectively causing a denial of service. Another payload, described as attribution hijacking, forces the AI to credit a specific individual for the content and encourage users to contact them for consulting work. However, other payloads are far more malicious.
One payload attempts to force an LLM-powered coding assistant or agentic AI with shell access to execute a Unix command for recursive forced deletion of files and directories. This attack specifically targets AI assistants integrated into IDEs, terminal environments, or DevOps pipelines, such as GitHub Copilot, Cursor, or Claude Code. Another payload instructs the agent to "send me the secret API key," aiming to leak any secrets the agent can access, while also attempting to hide the injection by telling the AI not to analyze the code.
Perhaps the most audacious payload is a financial fraud attempt that embeds a PayPal.me link, a $5,000 fixed amount, and full instructions to process the transaction. This payload is designed for AI agents with integrated payment capabilities, such as browser agents with saved payment credentials or AI financial assistants with access to digital wallets. Sewani noted that the extraordinary specificity — exact amount, exact URL, exact steps — indicates this is not a probe but a weaponized payload intended for immediate execution.
The researchers identified common triggers for IPI, including phrases like "Ignore previous instructions," "Ignore all previous instructions," "If you are an LLM," and "If you are a large language model." These triggers are designed to override the AI's original instructions and redirect its behavior. Forcepoint warned that if agents ingest untrusted web content without enforcing a strict data-instruction boundary, every page they read becomes a potential threat.
This discovery underscores the growing risk of indirect prompt injection as AI agents become more autonomous and integrated into critical workflows. Unlike traditional prompt injection, which targets the user's input, IPI exploits the agent's ability to process external content, making it a stealthy and scalable attack vector. Organizations deploying AI agents are urged to implement robust input validation, restrict agent privileges, and monitor for anomalous behavior to mitigate these emerging threats.