Attacks on artificial intelligence are gaining momentum: the number of criminal incidents involving hidden commands in web pages has increased by 32% in just the last quarter. Malicious actors are actively embedding instructions in HTML code to steal data and money, as well as to carry out unauthorized payments through PayPal and similar services.
This is reported by Finway
- Over the past three months, there has been a 32% increase in attacks involving hidden command injections.
- Hackers embed instructions in the HTML code of websites to steal personal information and finances.
- Some cases involved payments through PayPal and other payment services.
“Google’s security team has recorded an increase in attacks on AI agents that use malicious instructions hidden in web pages. Such attacks allow malicious actors to force systems to perform actions on behalf of the user — from data transmission to financial transactions.”
How the latest attacks on AI agents work
Google analysts check up to 3 billion web pages monthly for malicious instructions. It has been found that from November 2025 to February 2026, the number of attacks related to indirect command injections increased by almost a third. Malicious actors disguise instructions in the HTML code of websites, hiding them from users but leaving them visible to artificial intelligence systems.
Various masking methods are used: from nearly transparent text to commands in metadata or page comments. The vast majority of attacks are low-level; however, more complex scenarios pose serious risks, allowing hackers to obtain passwords, IP addresses, or even initiate device formatting and financial transactions.
Financial threats and detection challenges
Some attacks contain detailed instructions for transferring funds via PayPal, targeting agents with access to payment functions. Experts have also recorded attempts to steal credentials and redirect payments through Stripe, indicating a comprehensive approach by hackers to compromise financial transactions. Concurrently, vulnerable systems are being scanned in preparation for larger-scale attacks.
The main danger is that such actions often appear as legitimate activity: AI agents use real user data and perform authorized operations, significantly complicating their detection by traditional security systems.
With the growth of autonomous systems capable of interacting with the outside world, the scale and complexity of attacks will only increase. At the same time, the issue of legal liability for such incidents remains open due to the lack of clear regulatory frameworks in this area.
According to the OWASP classification, such attacks fall under critical application vulnerabilities. Analysts believe that against the backdrop of rising fraud involving artificial intelligence, such scenarios are becoming a new risk point for corporate security.