Caleb retweetledi
Google DeepMind just dropped the most terrifying cybersecurity paper of the year.
They just mapped the attack surface that nobody in AI is talking about.
Websites can already detect when an AI agent visits and serve it completely different content than humans see.
- Hidden instructions in HTML.
- Malicious commands in image pixels.
- Jailbreaks embedded in PDFs.
This “detection asymmetry” means a site can serve normal content to you, and malicious, hidden content to your agent.
The agent doesn’t know it’s being tricked. It simply processes whatever it receives and acts on it.
Here’s the attack surface nobody is talking about:
→ Indirect Web Injection: Malicious instructions hidden in HTML comments, CSS tricks, or white text on white backgrounds.
→ Multimodal Steganography: Commands encoded directly into image pixels, invisible to humans, but fully readable by vision models.
→ Document Jailbreaks: Override instructions embedded deep inside PDFs, spreadsheets, and calendar invites.
→ Memory Poisoning: Injecting false information that persists across future sessions.
→ Exfiltration Attacks: Tricking the agent into sending your private data to attacker-controlled endpoints.
→ Multi-Agent Cascades: The worst-case scenario, Agent A gets compromised, passes the “poison” to Agent B, then to Agent C. The entire pipeline gets infected because agents trust each other’s data.
The most sobering part of the DeepMind report? The defense landscape is failing, badly.
Input sanitization doesn’t work because you can’t “sanitize” a pixel. Prompt-level instructions to “ignore suspicious commands” fail because the attacks are designed to look legitimate.
And human oversight? Impossible at the speed and scale these agents operate.
If you ask an agent to research 50 websites, you can’t verify whether each site served the agent the same content it served you.
English
