This Google DeepMind’s paper is a serious warning for anyone using autonomous agents today.

Gives the first clear taxonomy of 6 attack types where harmful websites can detect AI agents and show them hidden content humans never see, like

- Instructions buried in HTML comments or white-on-white text

- Steganography in image pixels

- Override commands in PDFs, metadata, or even speaker notes

- Memory poisoning that persists across sessions

- Goal hijacking and cross-agent cascades in multi-agent setups

The real security problem for AI agents is not just the model, but the environment it reads.

The web itself can be weaponized against autonomous AI agents. As agents increasingly browse the internet, read emails, execute transactions, and spawn sub-agents, the information environment becomes an attack surface.

In one cited benchmark, hidden prompt injections embedded in web content partially commandeered agents in up to 86% of scenarios, sub-agent hijacking working 58–90% of the time, and data exfiltration attacks clearing 80% across five different agent architectures.

That reframes the whole debate.

We usually talk about model safety as if the danger sits inside the weights, but agents do something more fragile: they browse, retrieve, remember, and act on untrusted material in real time.

Here’s the thing to worry about.

A web page does not have to look malicious to be dangerous to an agent, because the agent may parse what humans never see: hidden HTML comments, metadata, CSS-hidden text, formatting syntax, or adversarial content embedded in images and other media.

The threat gets more serious once memory enters the loop.

If an agent uses RAG or persistent memory, poisoning no longer has to win in one shot. It can sit quietly in a corpus or memory store and activate later, which is why the paper highlights results showing latent memory poisoning above 80% attack success with less than 0.1% data contamination.

---

ssrn .com/sol3/papers.cfm?abstract_id=6372438