Google’s latest research has identified a growing number of malicious AI prompt injection attacks on publicly accessible websites. Despite this rise, the sophistication of these attacks remains relatively low, according to the company’s cybersecurity experts.
Understanding Prompt Injection Techniques
Direct prompt injection refers to a method where users bypass AI rules through direct interaction. In contrast, indirect prompt injection involves the AI being misled by harmful instructions embedded in external data sources. This deceptive tactic has been increasingly observed in various forms.
Recent years have seen cybersecurity researchers uncover numerous methods of indirect prompt injection. These include specially crafted prompts on websites, emails, and developer resources that trick AI tools like Gemini, Copilot, and ChatGPT into bypassing security protocols, potentially leading to data theft.
Google’s Research Findings
Google’s threat intelligence team recently explored how extensively these AI vulnerabilities are exploited. Their investigation focused on indirect prompt injections found on the public internet, utilizing website snapshots from Common Crawl to identify known patterns. The use of Gemini and human reviews helped to eliminate false positives.
The analysis revealed a range of prompt injections, from harmless pranks to genuine attempts at misleading AI agents. Some website owners employ these tactics for search engine optimization or to provide helpful guidance. However, there are also malicious uses, such as exfiltration and destruction of data.
Security Implications and Future Outlook
Among the malicious attempts, some websites contained prompts designed to collect sensitive information like IP addresses and credentials for exfiltration. Despite these risks, Google reports that the sophistication of such attacks remains low, with no significant use of advanced techniques predicted by security experts for future threats.
Destructive prompts, aimed at forcing AI to delete all user files, were also identified, though deemed unlikely to succeed. Notably, the research showed a 32% increase in malicious prompt injection attempts from November 2025 to February 2026. This trend indicates a maturing threat that could escalate in both scale and complexity.
Google’s findings underscore the importance of enhancing AI security measures as these threats evolve. The company warns that the sophistication and prevalence of prompt injection attacks are expected to grow, highlighting the need for proactive defense strategies in the age of advanced AI technologies.
