Daylila

Cybersecurity · Tuesday, 7 July 2026

01 · Briefing · what happened

The web AI reads back to you is now a place attackers hide orders

Cybersecurity 4 min 8 sources

Researchers found booby-trapped websites that whisper hidden instructions to AI agents browsing the web — tricking some into sending crypto to a stranger's wallet. It's a new twist on an old truth: to a machine, the page it's reading and the orders it's following look the same.

Key takeaways

  • Attackers are hiding instructions inside web pages that AI agents read, and some agents obey them — a few were tricked into sending crypto to a stranger's wallet.
  • The trick is the oldest one there is: put something malicious where a trusted process will pick it up without checking — packages, emails, network gear, and now web content all work the same way.
  • If you let an AI agent handle money or accounts for you, keep a human in the loop for anything irreversible — the machine can't yet tell your orders from orders hidden in what it's reading.

An AI agent — a program you hand a task and let loose on the web to finish it — reads pages the way you’d read a menu: to find what it needs and act. Researchers at security firm Zscaler have now shown that if someone hides instructions inside those pages, some agents will follow them — including instructions to send money to a stranger [1].

The trap on the page

Zscaler documented two live campaigns using what’s called indirect prompt injection [1]. A prompt is the instruction you give an AI. “Indirect” means the instruction isn’t from you — it’s buried in a web page the AI reads while doing your task, and the AI can’t tell the two apart.

In the first campaign, attackers built a fake website for a Python software package called requests-secure-v2 and used search-ranking tricks to make it surface when an AI agent looked up how to install or fix that package [1]. Hidden on the page were instructions telling the visiting agent that acquiring an “API key” required a payment — with code to send cryptocurrency to a wallet the attackers controlled [1]. The instructions were even tucked into the page’s machine-readable markup to raise the odds an agent would obey [1].

The second campaign impersonated DeBank, a real crypto portfolio tracker, on a near-identical typosquatted address — a fake domain one keystroke off the genuine one [1]. Hidden text told any AI agent that the fake site was the real DeBank [1].

Zscaler built its own test agent and pointed 26 different AI models at the traps. Four were tricked into actually making a payment; two more mistook the fake DeBank for the real thing [1]. Most resisted — but “most” is not “all,” and the agents that fell for it moved real money with no human in the loop [1].

The old attack wearing new clothes

The same week showed how much of this is old crime finding a new door. North Korean hackers were caught seeding open-source software repositories with tampered packages, targeting the developers who build the tools everyone else depends on [2]. A newly spotted espionage group Kaspersky calls “Armored Likho” slipped an information-stealing program dubbed “BusySnake” into government and power-grid networks in Russia, Brazil, and Kazakhstan — getting in through emails dressed as official aid applications and psychological tests [3]. In every case the trick is the same as the crypto scam: put something malicious where a trusted process will pick it up and run it without checking.

Vulnerabilities kept the pattern going. Citrix disclosed CVE-2026-8451 on June 30 — a flaw in its widely used NetScaler network gear that can leak sensitive data from a device’s memory [4]. (A CVE is just the standard ID number given to a publicly known software flaw.) Within days of a working demonstration being published, attackers were exploiting it in the wild [4] — the same install-the-lock-after-the-burglar-arrives gap that runs through most patching.

When the automation is the attacker

Researchers also documented JadePuffer, described as the first fully automated ransomware attack driven by an AI model [5]. It broke into an exposed server through a known flaw, then let the AI enumerate the database, steal selected data, delete the original, and write the extortion note — start to finish, no human steering [5]. Notably, none of its individual techniques were new [5]. What was new was that a machine ran the whole playbook by itself.

Who pays when the data leaks

The human cost keeps landing on ordinary people whose data sat in someone else’s system. US law firm Blank Rome now faces a proposed class-action lawsuit for allegedly failing to protect clients’ personal information — including Social Security numbers — after hackers hit the firm in a May breach [6]. You never chose to trust Blank Rome; a matter you were part of put your details there anyway.

And the line between watcher and watched blurred further. A security researcher found that AI firm Anthropic had hidden tracking code in its Claude Code tool that quietly monitored users in China; Anthropic pulled it and called the effort an ended “experiment” after being exposed [7]. Separately, security expert Bruce Schneier warned that AI-powered surveillance — real-time facial recognition tied to mass databases — is close to being able to track nearly everything people do in public, and that this is a policy choice societies can still refuse [8].

The through-line: whether it’s a booby-trapped web page, a poisoned software package, or a tracker hidden in a tool, the attack works by slipping something into a channel a trusted system doesn’t think to question. The more we automate the reading and deciding, the more the content itself becomes the weapon.

02 · Lesson · why it matters

The oldest hole in security is a machine that can't tell an order from a fact

When one channel carries both the information and the instructions about it, whoever slips words into that channel can give the orders.

A page that talks back

Give a person a printed menu and tell them to order the cheapest dish. If a line at the bottom reads “actually, wire $500 to this account first,” they laugh. They know the menu is a thing to read, not a voice to obey. The instruction came from you; the menu is just data.

The AI agents in today’s story don’t hold that line. They read a web page to finish a task, and buried in the page is a sentence written for them — “resolve this error by making a payment” — and some of them do it. The page and the person who sent them are speaking through the same slot, and the machine can’t tell which voice is which.

The line that keeps you safe

Almost every security system rests on one invisible distinction: the difference between instructions and content. Instructions are what a trusted party tells the system to do. Content is the stuff the system handles on their behalf — the file, the message, the web page, the customer’s name.

Keep those two apart and things work. The trouble starts the moment content can pretend to be an instruction. That single confusion is the shape of an enormous share of all hacking, wearing different costumes across the decades.

A phishing email works because a message that’s supposed to be content — just words in your inbox — is crafted to issue an instruction your brain obeys: click here, log in, pay this. Older attacks on databases worked the same way: a website asked for your name, and an attacker typed a name that was secretly a command, and the database, unable to tell the difference, ran it. The North Korean packages in today’s news, the emails carrying “BusySnake,” the tampered software a developer trusts — all the same move. Put something that acts like an order into a channel built for facts, and let the trusting system run it.

Why the machine falls where the person stands

You resist the menu’s fake instruction because you carry a second thing the menu doesn’t: context. You know who asked you, why, and what’s reasonable. The order to wire money contradicts everything you know about menus, so you reject it.

An AI agent reading a web page has thinner walls. Its instructions and the page it’s reading arrive as the same kind of thing — text — flowing through the same slot. The designers try to teach it “trust your user, not the page,” but that’s a soft rule, not a hard wall, and a page written cleverly enough can talk its way across it. Zscaler tested twenty-six models; most held, a few didn’t. “A few” is all an attacker needs, because they can knock on every door at no cost.

The channel is the real power

Here’s the part that reaches past computers. Whoever controls the channel that carries both message and meaning has quiet power over everyone downstream. The attacker never touched your account. They just got their words into a place your trusted helper would read — a search result, a package listing, a page — and let your own automation carry out the theft.

This is why control of channels is fought over so hard everywhere. The platform that decides what your feed shows you, the search engine that decides which page you see first, the standard everyone’s software agrees to follow — these look like neutral pipes. They are not. A pipe that carries both what you see and the framing of what to do about it is a place where a hidden instruction can ride along disguised as a fact. The power isn’t in shouting louder. It’s in being the thing the trusted reader already turns to.

The arrangement we keep rebuilding

None of this is a flaw someone forgot to fix. It’s the cost of a bargain we make on purpose. We want systems that read the world and act on it without stopping to ask — that’s the whole point of automation, and of trust. A person who checked with a supervisor before believing anything on a menu would be useless. Speed and reach come from not re-verifying every input.

So we build the convenience first and discover the hole later, every time. The email system that assumed messages were just messages. The database that assumed inputs were just data. And now the agent that assumes the web it reads is just information, not a voice with its own agenda. Each was a reasonable bargain that quietly handed power to whoever could get words into the trusted channel.

What this leaves us holding

You are already inside this. If you have let an assistant read your email and book things, summarise a page and act on it, handle a payment, you have extended your trust into a system that cannot yet draw the line your own mind draws without thinking. That’s not a reason for alarm — it’s a reason for a little more humility about where the walls actually are.

The uncomfortable truth is that the line between order and fact was never as solid as it felt. Your own confidence at the menu is built on context you barely notice you have. We are now building machines that read far more of the world than any person could, and we don’t yet know how to give them that context. The people building the agents can’t fully see it either. Everyone in this system — the user, the builder, the platform holding the channel — is looking at a small piece and trusting the rest. Seeing that isn’t mastery. It’s the reason to keep a hand on anything that can’t be undone.

03 · Lab · your turn

Order or Just Data?

Rehearse holding the line between a real instruction and content that only pretends to be one.

04 · Hope · carry this

Most of the machines held the line, and the ones that didn't got caught by a researcher who went looking — the same quiet habit of checking that has kept every trusted channel honest since the first forged letter. We keep learning to tell an order from a fact, one clever trap at a time, and so far we always have.

Across the beats