🚨BREAKING: Google DeepMind just published the largest study ever done on AI agent manipulation, and the findings should stop everyone cold. websites can already tell when an AI is visiting instead of a human. When they detect one, they serve it different content. The agent processes what it receives and acts on it. It has no way to know the page looked different for you. That is not theoretical. That is infrastructure being built right now. The study tested 23 attack types across frontier models including GPT-4o, Claude, and Gemini. 502 real participants across 8 countries. The attack surface it maps is wider than anyone has publicly admitted. Malicious instructions buried in HTML comments that never render on screen. White text on white backgrounds, invisible to humans but consumed by agents. CSS visibility tricks that hide content from human view entirely. Commands encoded into image pixels using steganography, invisible to the human eye but readable by vision models. Instructions sitting in image metadata and alt-text. Override instructions inside PDFs, spreadsheet cells, and presentation speaker notes. QR codes redirecting agents to attacker controlled content. Indirect injection through search results, calendar invites, and email bodies, every data source an agent touches becomes a potential vector. Fake UI elements rendered specifically for agent vision. Safety bypasses hidden inside otherwise clean content. False memories injected into agent memory that carry across sessions. Goal hijacking through gradual instruction drift across multiple interactions that never triggers safety filters. Agents tricked into sending user data to attacker controlled endpoints through legitimate looking API calls. Compromised agents injecting malicious instructions directly into other agents running in the same pipeline. The detection asymmetry is what makes this so hard to close. A user who sends an agent to research a product, book a flight, or summarize documents cannot verify that what the agent saw matched what they would have seen. The agent cannot flag it. It does not know. Multi-agent pipelines make it worse. Agent A pulls web content. Agent B processes it. Agent C acts on it. A successful injection at the first step moves through the whole chain with full trust intact. The attack never touches the model. It touches the data the model eats. Every defense tested fell short. You cannot sanitize image pixels. Telling agents to ignore suspicious instructions fails because injections are built to look legitimate. Human oversight breaks down the moment an agent touches more pages than a person can realistically review. The agents are already out there. The attack infrastructure is being built around them.

→ View original post on X — @aihighlight, 2026-04-07 13:51 UTC