Agregátor RSS

Legit-looking website, camera-on interviews, jokes about backdoors ... it worked

EXCLUSIVE  It all started with a LinkedIn message, as so many employment scams do these days.…

Posted by Thomas Brunner, Yu-Han Liu, Moni Pande

At Google, our Threat Intelligence teams are dedicated to staying ahead of real-world adversarial activity, proactively monitoring emerging threats before they can impact users. Right now, Indirect Prompt Injection (IPI) is a top priority for the security community, anticipating it as a primary attack vector for adversaries to target and compromise AI agents. But while the danger of IPI is widely discussed, are threat actors actually exploiting this vector today – and if so, how?

To answer these questions and to uncover real-world abuse, we initiated a broad sweep of the public web to monitor for known indirect prompt injection patterns. This is what we found. 

The threat of indirect prompt injection

Unlike a direct injection where a user "jailbreaks" a chatbot, IPI occurs when an AI system processes content—like a website, email, or document—that contains malicious instructions. When the AI reads this poisoned content, it may silently follow the attacker's commands instead of the user's original intent.

This is not a new area of concern for us and Google has been working tirelessly to combat these threats. Our efforts involve cross-functional collaboration between researchers at Google DeepMind (GDM) and defenders like the Google Threat Intelligence Group (GTIG). We have previously detailed our work in this area and researchers have further highlighted the evolving nature of these vulnerabilities.

Despite this collective focus, a fundamental question remains: to what degree are real-world malicious actors currently operationalizing these attacks?

Proactive monitoring at GoogleThe landscape of IPI on the web

There are many channels through which attackers might try to send prompt injections. However, one location is particularly easy to observe - the public web. Here, threat actors may simply seed prompt injections on websites in hope of corrupting AI systems that browse them.

Public research confirms these attacks are possible; consequently, we should expect real-world adversaries to exploit these vulnerabilities to cause harm.

Thus, we ask a basic question: What outcomes are real attackers trying to achieve today?

For ease of access and reproducibility, we chose to use Common Crawl, which is a large repository of crawled websites from the English-speaking web. Common Crawl provides monthly snapshots of 2-3 billion pages each. These are mostly static websites, which includes self-published content such as blogs, forums and comments on these sites, but as a caveat it does not contain most social media content (e.g., LinkedIn, Facebook, X, …) as Common Crawl skips websites with login walls and anti-crawl directives.

This means that, while prompt injections have been observed on social media, we reserve these for an upcoming separate study. For a first look, we can observe prompt injections even in standard HTML, for which Common Crawl conveniently provides not just the source, but also the parsed plaintext.

The challenge of false positives

The task of scanning large amounts of documents for prompt injections may sound simple, but in reality is hindered by an overwhelming number of false positive detections.

Early experiments revealed a significant volume of "benign" prompt injection text, which illustrates the complexity of distinguishing between functional threats and harmless content. Many prompt injections were found in research papers, educational blog posts, or security articles discussing this very topic. 

False positives: Most prompt injections in web content tend to be education material for researchers. (Source: GitHub/swisskyrepo)

When searching for prompt injections naively, the majority of detections are benign content – false positives in our case. Therefore, we opted for a coarse-to-fine filtering approach:

• Pattern Matching: We initially identified candidate pages by searching for a range of popular prompt injection signatures, like “ignore … instructions”, “if you are an AI”, etc.

• LLM-Based Classification: These candidates were then processed by Gemini to classify the intent of the suspicious text, and to understand whether they were part of the overall document narrative or suspiciously out of place.

• Human Validation: A final round of manual review was conducted on the classified results to ensure high confidence in our findings.

While this approach is not exhaustive and might miss uncommon signatures, it can serve as a starting point for understanding the quality of prompt injections in the wild. 

What we found

Our analysis revealed a range of attempts that, if successful, would try to manipulate AI systems browsing the website. Most of the prompt injections we observed fall into these categories:

• Harmless pranks

• Helpful guidance

• Search engine optimization (SEO)

• Deterring AI agents 

• Malicious

• Data exfiltration

• Destruction

Harmless Prank

This class of prompt injection aims to cause mostly harmless side effects in AI assistants reading the website. We found many instances of this – consider the source code of this website, which contains an invisible prompt injection that instructs agents reading the website to change their conversational tone:

Helpful Guidance

We also observed website authors who wanted to exert control over AI summaries in order to provide the best service to their readers. We consider this a benign example, since the prompt injection does not attempt to prevent AI summary, but instead instructs it to add relevant context.

We note that this example could easily turn malicious if the instruction tried to add misinformation or attempted to redirect the user to third party websites.

Search Engine Optimization (SEO)Some websites include prompt injections for the purpose of SEO, trying to manipulate AI assistants into promoting their business over others:
While the above example is simple, we have also started to see more sophisticated SEO prompt injection attempts. Consider the intricate prompt below, which was seemingly generated by an automated SEO suite and inserted into website text:Deterring AI agents

Some websites try to prevent retrieval by AI agents via prompt injection. There exist many examples of “If you are an AI, then do not crawl this website”. However, we also observed more insidious implementations: 

This injection tries to lure AI readers onto a separate page which, when opened, streams an infinite amount of text that never finishes loading. In this way, the author might hope to waste resources or cause timeout errors during the processing of their website.

Malicious: Exfiltration

We were able to observe a small number of prompt injections that aim at theft of data. However, for this class of attacks, sophistication seemed much lower. Consider this example:

As we can see, this is a website author performing an experiment. We did not observe significant amounts of advanced attacks (e.g. using known exfiltration prompts published by security researchers in 2025). This seems to indicate that attackers have yet not productionized this research at scale.

Malicious: Destruction

Finally, we observed a number of websites that attempt to vandalize the machine of anyone using AI assistants. If executed, the commands in this example would try to delete all files on the user’s machine:

While potentially devastating, we consider this simple injection unlikely to succeed, which makes it similar to those in the other categories: We mostly found individual website authors who seemed to be running experiments or pranks, without replicating advanced IPI strategies found in recently published research. 

What does this mean?

Our results indicate that attackers are experimenting with IPI on the web. While the observed activity suggests limited sophistication, this might be only part of the bigger picture.

For one, we scanned only an archive of the public web (CommonCrawl), which does not capture major social media sites. Additionally, even though sophistication was low, we observed an uptick in detections over time: We saw a relative increase of 32% in the malicious category between November 2025 and February 2026, repeating the scan on multiple versions of the archive. This upward trend indicates growing interest in IPI attacks. 

In general, threat actors tend to engage based on cost/benefit considerations. In the past, IPI attacks were considered exotic and difficult. And even when compromised, AI systems often were not able to execute malicious actions reliably.

We believe that this could change soon. Today’s AI systems are much more capable, increasing their value as targets, while threat actors have simultaneously begun automating their operations with agentic AI, bringing down the cost of attack. As a result, we expect both the scale and sophistication of attempted IPI attacks to grow in the near future.

Moving forward

Our findings indicate that, while past attempts at IPI attacks on the web have been low in sophistication, their upward trend suggests that the threat is maturing and will soon grow in both scale and complexity.

At Google, we are prepared to face this emergent threat, as we continue to invest in hardening our AI models and products. Our dedicated red teams have been relentlessly pressure-testing our systems to ensure Gemini is robust to adversarial manipulation, and our AI Vulnerability Reward Program allows external researchers to participate. 

Finally, Google’s established ability to process global-scale data in real-time allows us to identify and neutralize threats before they can impact users. We remain committed to keeping the Internet safe and will continue to share intelligence with the community.

To learn more about Google’s progress and research on generative AI threat actors, attack techniques, and vulnerabilities, take a look at the following resources:

• Google Workspace’s continuous approach to mitigating indirect prompt injections (blog post) from Google’s GenAI security team

• Mitigating prompt injection attacks with a layered defense strategy (blog post) from Google’s GenAI security team

• Beyond Speculation: Data-Driven Insights into AI and Cybersecurity (RSAC 2025 conference keynote) from Google’s Threat Intelligence Group (GTIG)

• AI Threat Tracker (report) from Google’s Threat Intelligence Group (GTIG)

• Google's Approach for Secure AI Agents (white paper) from Google’s Secure AI Framework (SAIF) team

• Advancing Gemini's security safeguards (blog post) from Google’s DeepMind team

• Lessons from Defending Gemini Against Indirect Prompt Injections (white paper) from Google’s DeepMind team

Hackers are actively exploiting a critical vulnerability in the Breeze Cache plugin for WordPress that allows uploading arbitrary files on the server without authentication. [...]

Akcionáři americké mediální společnosti Warner Bros. Discovery dnes schválili převzetí firmy konkurentem Paramount Skydance za zhruba 110 miliard dolarů (téměř 2,3 bilionu Kč). Firmy se na spojení dohodly v únoru. O část společnosti Warner Bros. Discovery dříve usilovala rovněž streamovací platforma Netflix, se svou nabídkou však neuspěla. Transakci ještě budou schvalovat regulační orgány, a to nejen ve Spojených státech, ale také například v Evropské unii. Proti spojení podniků se staví řada herců, režisérů, scénáristů a dalších lidí z filmového a televizního průmyslu. Otevřený dopis odmítající fúzi podepsaly přes čtyři tisíce lidí. „Výsledkem bude méně příležitostí, méně pracovních míst, vyšší náklady a menší výběr pro diváky ve Spojených státech a po celém světě. Je znepokojivé, že by tato fúze snížila počet velkých amerických filmových studií na pouhá čtyři“ píše se v dopisu.

A relatively new ransomware family is using a novel approach to hype the strength of the encryption used to scramble files—making, or at least claiming, that it is protected against attacks by quantum computers.

Kyber, as the ransomware is called, has been around since at least last September and quickly attracted attention for the claim that it used ML-KEM, short for Module Lattice-based Key Encapsulation Mechanism and is a standard shepherded by the National Institute of Standards and Technology. The Kyber ransomware name comes from the alternate name for ML-KEM, which is also Kyber. For the rest of the article, Kyber refers to the ransomware; the algorithm is referred to as ML-KEM.

It's all about marketing

ML-KEM is an asymmetric encryption method for exchanging keys. It involves problems based on lattices, a structure in mathematics that quantum computers have no advantage in solving over classic computing. ML-KEM is designed to replace Elliptic Curve and RSA cryptosystems, both of which are based on problems that quantum computers with sufficient strength can tackle.

Read full article

Comments

Canonical vydal (email, blog, YouTube) Ubuntu 26.04 LTS Resolute Raccoon. Přehled novinek v poznámkách k vydání. Vydány byly také oficiální deriváty Edubuntu, Kubuntu, Lubuntu, Ubuntu Budgie, Ubuntu Cinnamon, Ubuntu Kylin, Ubuntu Studio, Ubuntu Unity a Xubuntu. Jedná se o 11. vydání s dlouhodobou podporou (LTS).

All the Typhoons, everywhere, all at once

A majority of China-linked threat actors are using compromised routers and IoT devices worldwide, turning this gear into proxy networks to carry out further intrusions, steal sensitive data, and disrupt victim organizations’ operations, according to a joint 10-country advisory.…

The Bitwarden CLI was briefly compromised after attackers uploaded a malicious @bitwarden/cli package to npm containing a credential-stealing payload capable of spreading to other projects. [...]

Recently observed Trigona ransomware attacks are using a custom, command-line tool to steal data from compromised environments faster and more efficiently. [...]

Global IT spending is expected to rise this year to $6.31 trillion, according to a new forecast from Gartner, a 13.5% increase compared to 2025.

According to the research firm, AI is the single most important driver behind the growth, with investments in AI infrastructure, in particular, driving the trend. The data center systems segment is expected to grow by a whopping 55.8% during the year, by far the fastest growing of all categories.

At the same time, IT services continue to account for the largest share of total spending and are expected to exceed $1.87 trillion this year. Software is also showing strong growth, particularly in generative AI.

Growth is also expected in the device market, though at a significantly slower pace. Overall, the market is expected to reach approximately $856 billion, though Gartner says this growth is being slowed by rising memory prices.

Chinese market research firm Sigmaintell expects Apple to be the only company to see growth in the laptop market this year.

Overall, Sigmaintel predicts global notebook shipments will reach 181.1 million units this year, a decline of 8%. That drop will, in part, be caused by memory and component shortages and also by slowing market demand. That’s going to damage all of the notebook vendors, bar Apple,. 

Apple laptop sales expected to rise more than 20%

Sigmaintell calculates Apple will ship 28 million laptop in the year, up 21.7% from 2025. This puts Apple in third place in laptop shipments, a demand the company will be able to meet despite component shortages because of the efficient use of memory inherent to its systems. That memory efficiency acts as a protection against the impact of climbing costs, even as competitors struggle with the affects on their business.

Apple’s incoming CEO, John Ternan, is being presented as a hardware man, so he will no doubt be pleased to experience the benefit of MacBook Neo’s massive attack on the lower echelons of the market. The Neo is already generating millions of additional sales, something Apple’s diversified revenue engine, including services, can further capitalize on.

PC makers face steep decline

There’s quite stark news for PC manufacturers. The report predicts Lenovo, Dell, HP, and ASUS will see sharp sales declines and warns that the entire industry will need to quickly transition from hardware-based sales toward full ecosystem plays. 

That’s going to be extraordinarily difficult for most PC makers. Not only do most of them use operating systems they don’t build themselves, but most lack a successful range of services customers will happily choose to use. 

For the most part, while Apple offers Apple Music, competitors only offer Spotify, a situation that generates far less revenue for them. That lack of successful monetization in terms of attached income across the customer base meant less when the PC market was growing, but in an environment buffeted by multiple business challenges it becomes a vulnerability that cannot be ignored. It exposes the inherent weakness of a strategy in which hardware manufacturers rely on third parties for operating systems and services, as the lion’s share of income doesn’t reach those hardware makers. 

You can go your own way

There’s little doubt that part of the reason Apple is in such a strong position is because of its highly strategic outgoing CEO, Tim Cook, who led efforts to build a strong services business, accompanied by a wide ecosystem of complementary accessories. You don’t just buy an iPhone, you buy a Mac, AirPods, and Apple Music. You don’t just get an iPad, but you likely also acquire Apple Arcade. 

To a great extent, Apple’s strength now owes a big debt to the many years in which the company was marginalized. Forced to follow its own path, Apple deliberately developed its own unique platform-based approach. That approach meant the company remained profitable even when it held just a few percentage points of the PC market; as its market share improves, we can also see its profitability climb. 

The way that you do it

This good news may not matter as much as you might think to Apple’s leadership team. To them, while becoming the industry’s fastest-growing notebook manufacturer is nice, what matters more is crafting a platform experience that means something to the people using it. That, after all, is how to generate the high user satisfaction Apple’s platform loyalty and word-of-mouth recommendations come from.

That 16% of everyone purchasing a notebook this year will choose a Mac suggests a watershed moment for all Apple’s platforms.

You can follow me on social media! Join me on BlueSky,  LinkedIn, Mastodon, and MeWe. 

A previously undocumented threat activity cluster known as UNC6692 has been observed leveraging social engineering tactics via Microsoft Teams to deploy a custom malware suite on compromised hosts. "As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT help desk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Huawei FreeBuds Pro 5 nehrají na efekt, ale na celek. Nepřekvapí designem ani jednou zásadní funkcí, zato se snaží být dobré ve všem. V době, kdy konkurence často tlačí na extrémy, je to možná rozumnější přístup, než se na první pohled zdá.

Před lety zaplavily trh první zdroje s polovodiči GaN, které usnadnily miniaturizaci a kapesní nabíječky pro mobil rázem utáhly i notebook. USB nabíječky začala nabízet i Alza pod vlastní značkou AlzaPower. Nejlevnější nabíječky se ale zahřívaly a trpěly nekvalitními komponentami. Při nákupu to ...

Předplatitelé Živě Premium si mohou přečíst naši analýzu a podrobný rozbor (doslova pitvu) aktuálně nejprodávanější USB rychlonabíječky od Alzy, AlzaPower G610CCA Fast Charge 67W. S testy nabíječek budeme pokračovat. Abychom nemuseli v každém od začátku vysvětlovat základy, připravili jsme tento ...

Push to protect minors risks hitting everyone online

Proton's boss has waded into the age verification fight with a warning that sounds less like child safety and more like an identity checkpoint for the entire internet.…

Hackers have compromised Docker images, VSCode and Open VSX extensions for the Checkmarx KICS analysis tool to harvest sensitive data from developer environments. [...]

Poslední skutečně kapesní konzole od Nintenda letos oslavila velké narozeniny. Start měla krušný, ale hráči na ni vzpomínají převážně v dobrém. Zásluhu na tom má kopa výborných her, z nichž vám dnes alespoň pár připomenu.

If you spend enough time looking at a monitoring dashboard, you start to see a comforting pattern. Green lights mean the servers are up, the logs are flowing, and everything feels under control. But if you look closer, you realize that linux logging is often more of a formal archive than a security tool. There is a quiet gap between seeing that a system is running and actually knowing what it is doing.

TPU 8 už nejsou jen jeden čip jako u předchůdce, ale dva. • Google vytvořil optimalizované akcelerátory pro trénink a inferenci. • Využije je pro AI Gemini, ale poskytne je také svým partnerům.