The number of attacks with hidden commands on artificial intelligence has increased by 32% over three months, with cybercriminals increasingly using malicious instructions to steal credentials and money through services like PayPal.
This is reported by Business • Media
- In the last quarter, the level of attacks involving hidden command injections rose by 32%.
- Cybercriminals integrate malicious instructions into HTML code to gain access to users’ data and finances.
- Some attacks are aimed at financial transactions through PayPal and other popular payment systems.
Invisible Instructions: How Cybercriminals Bypass Security
According to Google’s security team, there has been a significant increase in attacks on AI agents through the injection of malicious instructions into website code. These instructions allow hackers to compel artificial intelligence to perform actions on behalf of the user — from transmitting private information to initiating financial transactions.
The analysis covered up to 3 billion web pages monthly, and the results indicate that malicious instructions hidden in HTML code remain unnoticed by users but are easily readable by AI agents.
“Researchers noted a 32% increase in attacks with indirect command injections from November 2025 to February 2026. Malicious instructions are disguised in HTML code and remain invisible to humans but accessible for reading by AI agents.”
Threat to Financial Security and Privacy
Cybercriminals use various methods to conceal instructions — from nearly transparent text to metadata or comments in page code. In most cases, these are low-impact attacks; however, complex scenarios can lead to serious consequences.
Experts have recorded attempts to compel AI agents to transmit passwords, IP addresses, as well as initiate commands to format devices or carry out financial transfers. Some cases included detailed instructions for transferring funds via PayPal, targeting agents with access to payment functions.
Additionally, Forcepoint specialists discovered attacks involving payment redirection through Stripe and scenarios aimed at identifying vulnerable systems before larger operations.
The main danger lies in the fact that such actions appear legitimate. The AI agent uses real credentials and performs authorized operations, making classic security systems unable to always identify the attack.
Experts emphasize that with the development of autonomous systems capable of performing actions in the real world, the scale and complexity of attacks will increase. Meanwhile, legal liability for such incidents remains unclear due to the lack of clear regulatory standards.
According to OWASP classification, such attacks fall under critical application vulnerabilities. Against the backdrop of rising fraud involving AI, such scenarios are becoming a new risk point for corporate security.