Hackers Can Hijack AI Agents Through Malicious Web Content

What happened

Hackers can hijack autonomous AI agents through malicious web content designed to manipulate what those systems see, interpret, and do. Google DeepMind researchers described these techniques as “AI Agent Traps” and said they can be embedded into websites, digital resources, and retrieval corpora that agents interact with while browsing, reasoning, or taking action. The research outlines six categories of attacks, including content injection, semantic manipulation, cognitive state corruption, behavioral control, systemic multi-agent disruption, and human-in-the-loop manipulation. The paper says attackers can hide instructions in HTML comments, invisible CSS-positioned text, metadata, and even images, allowing machine-reading agents to process content that human reviewers would not notice. Researchers also described dynamic cloaking, where a server detects an incoming AI agent and serves it a semantically altered page carrying malicious instructions. 

Who is affected

The direct exposure affects organizations deploying autonomous AI agents to browse websites, summarize information, manage emails, execute transactions, retrieve knowledge, or call external tools and APIs. The paper says the risk also extends to operators who rely on those systems in trusted workflows, because malicious content can influence both agent behavior and human approval decisions. 

Why CISOs should care

This matters because the attack surface is no longer limited to the model or the infrastructure around it. The information environment itself becomes part of the threat path when an agent is allowed to read, retrieve, reason, and act on untrusted content. The research also says these attacks can lead to data exfiltration, arbitrary action-taking, poisoned memory, manipulated reasoning, and operator deception, creating both technical and governance risk for organizations pushing AI agents into production workflows. 

3 practical actions

1. Treat web content as an agent attack surface: Review where autonomous agents consume untrusted webpages, documents, or retrieved knowledge, because the research says malicious instructions can be hidden in content that humans do not see. 
2. Add runtime controls around agent behavior: Use content filtering, behavioral monitoring, and anomaly checks before and during tool use, since the researchers recommend runtime defenses in addition to model hardening. 
3. Reassess human approval assumptions: Strengthen oversight for human-in-the-loop workflows because the paper says attackers can manipulate operators through the agent itself by exploiting approval fatigue and automation bias. 

For more news about security risks tied to emerging technologies and defensive strategy, click Cybersecurity to read more.