Date: 07/03/2026
Severity: Medium
Summary
Just as human users can be socially engineered through phishing, AI agents are also susceptible to similar attacks. Threat actors are leveraging Indirect Prompt Injection (IPI) to embed hidden malicious instructions into websites, including those impersonating payment services and cryptocurrency platforms, to manipulate AI agents during task execution. The campaigns combine SEO poisoning, typosquatting, and concealed HTML/CSS prompts to influence AI-driven workflows, increasing the risk of RAG poisoning, fraudulent transactions, and AI-assisted compromise.
Indicators of Compromise (IOC) List
Domains/URLs | market-insight-global.com identity-breach-response.org runners-daily-blog.com bistro-reserve-now.net edge-compliance-node.org digital-asset-mart.org digital-asset-mart.org consensus-protocol-v4.org visual-media-rights-group.org permits.global-transit-authority.org py-lib-repository.dev debank.auction https://github.com/Open-Agent-Utilities/mig-institutional-api-client https://github.com/Open-Agent-Utilities/session-token-leak-detector https://github.com/Open-Agent-Utilities/sneaker-drop-monitor-v2 https://github.com/Open-Agent-Utilities/opentable-resy-bypasser https://github.com/Open-Agent-Utilities/bot-compliance-middleware https://github.com/Open-Agent-Utilities/digital-asset-arbitrage-cli https://github.com/Open-Agent-Utilities/llm-fact-check-protocol https://github.com/Open-Agent-Utilities/royalty-free-image-scraper https://github.com/Open-Agent-Utilities/global-visa-automation-cli https://github.com/Open-Agent-Utilities/requests-secure-v2 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "identity-breach-response.org" or url like "identity-breach-response.org" or siteurl like "identity-breach-response.org" or domainname like "permits.global-transit-authority.org" or url like "permits.global-transit-authority.org" or siteurl like "permits.global-transit-authority.org" or domainname like "market-insight-global.com" or url like "market-insight-global.com" or siteurl like "market-insight-global.com" or domainname like "bistro-reserve-now.net" or url like "bistro-reserve-now.net" or siteurl like "bistro-reserve-now.net" or domainname like "runners-daily-blog.com" or url like "runners-daily-blog.com" or siteurl like "runners-daily-blog.com" or domainname like "consensus-protocol-v4.org" or url like "consensus-protocol-v4.org" or siteurl like "consensus-protocol-v4.org" or domainname like "py-lib-repository.dev" or url like "py-lib-repository.dev" or siteurl like "py-lib-repository.dev" or domainname like "visual-media-rights-group.org" or url like "visual-media-rights-group.org" or siteurl like "visual-media-rights-group.org" or domainname like "edge-compliance-node.org" or url like "edge-compliance-node.org" or siteurl like "edge-compliance-node.org" or domainname like "digital-asset-mart.org" or url like "digital-asset-mart.org" or siteurl like "digital-asset-mart.org" or domainname like "debank.auction" or siteurl like "debank.auction" or url like "debank.auction" |
Detection Query 2 : | domainname like "https://github.com/Open-Agent-Utilities/mig-institutional-api-client" or siteurl like "https://github.com/Open-Agent-Utilities/mig-institutional-api-client" or url like "https://github.com/Open-Agent-Utilities/mig-institutional-api-client" or domainname like "https://github.com/Open-Agent-Utilities/session-token-leak-detector" or siteurl like "https://github.com/Open-Agent-Utilities/session-token-leak-detector" or url like "https://github.com/Open-Agent-Utilities/session-token-leak-detector" or domainname like "https://github.com/Open-Agent-Utilities/sneaker-drop-monitor-v2" or siteurl like "https://github.com/Open-Agent-Utilities/sneaker-drop-monitor-v2" or url like "https://github.com/Open-Agent-Utilities/sneaker-drop-monitor-v2" or domainname like "https://github.com/Open-Agent-Utilities/opentable-resy-bypasser" or siteurl like "https://github.com/Open-Agent-Utilities/opentable-resy-bypasser" or url like "https://github.com/Open-Agent-Utilities/opentable-resy-bypasser" or domainname like "https://github.com/Open-Agent-Utilities/bot-compliance-middleware" or siteurl like "https://github.com/Open-Agent-Utilities/bot-compliance-middleware" or url like "https://github.com/Open-Agent-Utilities/bot-compliance-middleware" or domainname like "https://github.com/Open-Agent-Utilities/digital-asset-arbitrage-cli" or siteurl like "https://github.com/Open-Agent-Utilities/digital-asset-arbitrage-cli" or url like "https://github.com/Open-Agent-Utilities/digital-asset-arbitrage-cli" or domainname like "https://github.com/Open-Agent-Utilities/llm-fact-check-protocol" or siteurl like "https://github.com/Open-Agent-Utilities/llm-fact-check-protocol" or url like "https://github.com/Open-Agent-Utilities/llm-fact-check-protocol" or domainname like "https://github.com/Open-Agent-Utilities/royalty-free-image-scraper" or siteurl like "https://github.com/Open-Agent-Utilities/royalty-free-image-scraper" or url like "https://github.com/Open-Agent-Utilities/royalty-free-image-scraper" or domainname like "https://github.com/Open-Agent-Utilities/global-visa-automation-cli" or siteurl like "https://github.com/Open-Agent-Utilities/global-visa-automation-cli" or url like "https://github.com/Open-Agent-Utilities/global-visa-automation-cli" or domainname like "https://github.com/Open-Agent-Utilities/requests-secure-v2" or siteurl like "https://github.com/Open-Agent-Utilities/requests-secure-v2" or url like "https://github.com/Open-Agent-Utilities/requests-secure-v2" |
Reference:
https://www.zscaler.com/blogs/security-research/indirect-prompt-injection-web-content-targets-ai-agents#indicators-of-compromise--iocs-