New research reveals that AI agents powered by models like GPT-5 and Gemini remain highly vulnerable to prompt injection attacks. A study using a new benchmark called StakeBench found direct attacks succeeded over 79% of the time, while indirect attacks embedded in web content also frequently manipulated agent behavior. The findings highlight a persistent security challenge as autonomous AI agents for tasks like cryptocurrency trading become more widespread.
AI agents designed to browse the web and perform tasks like cryptocurrency trading remain critically vulnerable to prompt injection, according to new research. A team from Nanyang Technological University, ST Engineering, IBM Research, and the University of Illinois Urbana-Champaign found none of the tested agents consistently resisted these attacks.
The researchers developed StakeBench to test AI agents in realistic online environments, focusing on indirect prompt injection as a primary threat. They conducted 3,168 attack simulations using NanoBrowser and BrowserUse with GPT-5 and Gemini 2.5-Flash.
Direct prompt injection attacks succeeded more than 79% of the time across all configurations. Indirect attacks embedded in web content achieved success rates ranging from 41.67% to 68.16%.
The study noted that “prompt-injection security in deployable web agents is not a scalar property of the backbone model but a distribution of harm.” The risk depends on factors like the semantic distance between the attacker’s objective and the user’s original task.
Recent incidents underscore the growing concern, including warnings from Microsoft researchers about hidden instructions in summary links and Google documentation of attacks aiming to leak credentials. The research also identified “stealthy parasitism,” where an agent completes a user’s task while simultaneously advancing an attacker’s hidden objective.
