Malicious Websites Hide Prompt Instructions in DOM to Poison AI Agent Decision-Making
Threat actors are turning web content into a new attack surface to target artificial intelligence workflows. Much like human users face phishing attacks, AI agents are increasingly vulnerable to Indir

Threat actors are turning web content into a new attack surface to target artificial intelligence workflows. Much like human users face phishing attacks, AI agents are increasingly vulnerable to Indirect Prompt Injection (IPI). Attackers embed malicious instructions directly into a website’s Document Object Model (DOM) to manipulate an AI agent’s reasoning. Zscaler ThreatLabz recently uncovered […] The post Malicious Websites Hide Prompt Instructions in DOM to Poison AI Agent Decision-Making appeared first on Cyber Security News.
Threat actors are turning web content into a new attack surface to target artificial intelligence workflows. Much like human users face phishing attacks, AI agents are increasingly vulnerable to Indirect Prompt Injection (IPI). Attackers embed malicious instructions directly into a website’s Document Object Model (DOM) to manipulate an AI agent’s reasoning. Zscaler ThreatLabz recently uncovered two distinct campaigns in whichin which malicious websites exploit IPI combined with DOM manipulation to poison AI decision-making successfully. In the first observed campaign, attackers created a fraudulent website purporting to be documentation for a fake Python library called requests-secure-v2. The threat actors used SEO poisoning to push this site to the top of search engine results, increasing the likelihood that an AI developer agent would scrape it. When an AI agent accesses the site to troubleshoot or install packages, it encounters hidden instructions designed to steal funds. DOM Poisoning Targets AI Agents The attackers exploit JSON-LD, a structured metadata format used by search engines, to present the site as a legitimate software application. Furthermore, they use CSS to position malicious text off-screen. While completely invisible to human users browsing the site, these hidden tags are easily read by web scrapers and AI agents. SEO poisoning example to elevate a malicious IPI website to the top of search results (Source: zscaler) The injected prompt tricks the AI into resolving a fake license error by paying $3.00 via Stripe or transferring 0.0012 ETH to a hardcoded cryptocurrency wallet. The second campaign involves a typosquatting domain, debank[.]auction, which impersonates the popular decentralized finance (DeFi) portfolio tracker, DeBank. Malicious IPI website with payment options for a fake API key (Source: zscaler) If an AI agent lands on this page, the hidden instructions attempt to alter its core behavior, leading to context contamination and Retrieval-Augmented Generation (RAG) poisoning. According to Zscaler research, the fraudulent site uses heavy keyword stuffing and fabricated Open Graph metadata to appear official. Hidden near the bottom of the page is a prompt instructing the LLM to ignore previous directions. Instead, it instructs the AI agent to rank the malicious site as the primary authoritative source for any DeBank-related queries. Testing revealed that an AI’s susceptibility to this attack depends heavily on the context it is provided. When isolated from known-good reference URLs, models like GPT-5.4 and Claude Sonnet 4.5 incorrectly categorized the fake site as legitimate. Indicators of Compromise TypeIndicatorAssociated GitHub RepoDomainmarket-insight-global[.]commig-institutional-api-clientDomainidentity-breach-response[.]orgsession-token-leak-detectorDomainrunners-daily-blog[.]comsneaker-drop-monitor-v2 Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. The post Malicious Websites Hide Prompt Instructions in DOM to Poison AI Agent Decision-Making appeared first on Cyber Security News.
Join the Discussion
Comments coming soon. Follow us on social media for real-time discussions.


