X-Labs researchers discovered 10 verified Indirect Prompt Injection (IPI) payloads deployed across live web infrastructure. Unlike direct prompt injection where users send malicious input to AI models, IPI hides adversarial instructions inside ordinary web content. When AI agents crawl or summarize poisoned pages, they ingest and execute these instructions as legitimate commands. The discovered payloads span financial fraud, data destruction, API key exfiltration, and denial-of-service attacks. Attackers employ techniques including CSS invisibility, HTML comments, accessibility attribute abuse, meta namespace spoofing, and system prompt tag impersonation. The shared injection templates across multiple domains suggest organized tooling rather than isolated experimentation. Observed attack intents include unauthorized financial transactions, terminal command execution, content suppression, traffic hijacking, and sensitive information leakage, targeting AI systems that browse web pages, index content for RAG ...