AI threats in the wild: The current state of prompt injections on the web
Google threat intelligence finds indirect prompt injections on public web with 32% malicious uptick.
Summary
Google's Threat Intelligence Group conducted a broad sweep of the public web using Common Crawl to detect indirect prompt injection (IPI) attacks targeting AI systems. While most discovered IPI attempts were low-sophistication pranks, SEO manipulation, or educational content, researchers identified a 32% increase in malicious prompt injections between November 2025 and February 2026. The analysis suggests threat actors are beginning to operationalize IPI attacks, with growing sophistication expected as AI systems become more capable and attackers deploy agentic AI to automate campaigns.
Full text
<span class="byline-author">Posted by Thomas Brunner, Yu-Han Liu, Moni Pande</span><div><br /></div><div><span id="docs-internal-guid-49e83394-7fff-3df2-a974-c7291d12beb8"><p dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;"><span face="Roboto, sans-serif" style="font-size: 12pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">At Google, our Threat Intelligence teams are dedicated to staying ahead of real-world adversarial activity, proactively monitoring emerging threats before they can impact users. Right now, </span><span face="Roboto, sans-serif" style="font-size: 12pt; font-variant: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Indirect Prompt Injection (IPI) </span><span face="Roboto, sans-serif" style="font-size: 12pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">is a top priority for the security community, anticipating it as a primary attack vector for adversaries to target and compromise AI agents. But while the danger of IPI is widely discussed, are threat actors actually exploiting this vector today – and if so, how?</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;"><span face="Roboto, sans-serif" style="font-size: 12pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">To answer these questions and to uncover real-world abuse, we initiated a broad sweep of the public web to monitor for known indirect prompt injection patterns. This is what we found. </span></p><h1 dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 20pt;"><span face="Roboto, sans-serif" style="font-size: 16pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">The threat of indirect prompt injection</span></h1><p dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;"><span face="Roboto, sans-serif" style="font-size: 12pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Unlike a direct injection where a user "jailbreaks" a chatbot, IPI occurs when an AI system processes content—like a website, email, or document—that contains malicious instructions. When the AI reads this poisoned content, it may silently follow the attacker's commands instead of the user's original intent.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;"><span face="Roboto, sans-serif" style="font-size: 12pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">This is not a new area of concern for us and Google has been working tirelessly to combat these threats. Our efforts involve cross-functional collaboration between researchers at Google DeepMind (GDM) and defenders like the Google Threat Intelligence Group (GTIG). We have previously detailed </span><a href="https://security.googleblog.com/2025/06/mitigating-prompt-injection-attacks.html" style="text-decoration: none;"><span face="Roboto, sans-serif" style="color: #1155cc; font-size: 12pt; font-variant: normal; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">our work in this area</span></a><span face="Roboto, sans-serif" style="font-size: 12pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> and </span><a href="https://bughunters.google.com/blog/task-injection-exploiting-agency-of-autonomous-ai-agents" style="text-decoration: none;"><span face="Roboto, sans-serif" style="color: #1155cc; font-size: 12pt; font-variant: normal; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">researchers have further highlighted</span></a><span face="Roboto, sans-serif" style="font-size: 12pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> the evolving nature of these vulnerabilities.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;"><span face="Roboto, sans-serif" style="font-size: 12pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Despite this collective focus, a fundamental question remains: to what degree are real-world malicious actors currently operationalizing these attacks?</span></p><h1 dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 20pt;"><span face="Roboto, sans-serif" style="font-size: 16pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Proactive monitoring at Google</span></h1><h2 dir="ltr" style="line-height: 1.38; margin-bottom: 8pt; margin-top: 18pt;"><span face="Roboto, sans-serif" style="font-size: 14pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">The landscape of IPI on the web</span></h2><p dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;"><span face="Roboto, sans-serif" style="font-size: 12pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">There are many channels through which attackers might try to send prompt injections. However, one location is particularly easy to observe - the public web. Here, threat actors may simply seed prompt injections on websites in hope of corrupting AI systems that browse them.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;"><span face="Roboto, sans-serif" style="font-size: 12pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Public </span><a href="https://greshake.github.io/" style="text-decoration: none;"><span face="Roboto, sans-serif" style="color: #1155cc; font-size: 12pt; font-variant: normal; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">research</span></a><span face="Roboto, sans-serif" style="font-size: 12pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> confirms these attacks are possible; consequently, we should expect real-world adversaries to exploit these vulnerabilities to cause harm.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;"><span face="Roboto, sans-serif" style="font-size: 12pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Thus, we ask a basic question: What outcomes are real attackers trying to achieve today?</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;"><span face="Roboto, sans-serif" style="font-size: 12pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">For ease of access and reproducibility, we chose to use </span><a href="https://commoncrawl.org/" style="text-decoration: none;"><span face="Roboto, sans-serif" style="color: #1155cc; font-size: 12pt; font-variant: normal; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Common Crawl</span></a><span face="Roboto, sans-serif" style="font-size: 12pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">, which is a large repository of crawled websites from the English-speaking web. Common Crawl provides monthly snapshots of 2-3 billion pages each. These are mostly static websites, which includes self-published content such as blogs, forums and comments on these sites, but as a caveat it does not contain most social media content (e.g., LinkedIn, Facebook, X, …) as Common Crawl skips websites with login walls and anti-crawl directives.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;"><span face="Roboto, sans-serif" style="font-size: 12pt; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">This means that, while prompt injections have been observed on social media, we reserve these for an upcoming separate study. For a first look, we can observe prompt injections even in standard HTML, for which Common Crawl conveniently provides not ju