AI threats in the wild: The current state of prompt injections on the web

Google's Threat Intelligence teams have been actively monitoring the web for real-world instances of indirect prompt injection (IPI), a significant threat vector targeting AI agents. IPI occurs when an AI system processes external content, such as websites or documents, containing malicious instructions that override the user's original intent. While the potential for IPI is widely discussed, Google sought to determine the extent to which it is currently being exploited.
To investigate, researchers scanned a vast repository of public web data, focusing on static websites like blogs and forums, while excluding social media platforms for a separate study. The analysis aimed to identify actual malicious activities rather than theoretical possibilities or benign examples found in research papers.

The process involved a multi-stage filtering approach. Initially, pattern matching was used to identify potential prompt injection signatures. These candidates were then classified by Gemini AI to assess their intent and context. Finally, human validation was employed to ensure high confidence in the detected instances.
The findings revealed a spectrum of IPI attempts. Many were categorized as harmless pranks, such as instructing AI agents to alter their conversational tone. Others were found to be helpful guidance, where website authors aimed to improve AI summaries by adding relevant context, though this could easily be weaponized.
Search engine optimization (SEO) was another observed motive, with some websites attempting to manipulate AI assistants into promoting their services. More concerning were attempts to deter AI agents, including methods designed to waste resources or cause timeouts by redirecting them to endlessly loading pages.

While a small number of prompt injections aimed at data exfiltration and system destruction were identified, their sophistication was notably low. The researchers did not observe advanced attacks that have been detailed in recent security research, suggesting that attackers have not yet widely operationalized these more complex methods at scale.
Despite the current low sophistication, Google observed a relative increase of 32% in malicious IPI detections between November 2025 and February 2026. This upward trend indicates a growing interest and experimentation in IPI attacks.
Google anticipates that the scale and sophistication of IPI attacks will increase in the near future. This is due to AI systems becoming more capable targets and threat actors increasingly automating their operations with agentic AI, thereby lowering the cost of attack.





