On April 23, 2026 Google published AI threats in the wild: The current state of prompt injections on the web. The post documents a Common Crawl sweep for indirect prompt injection (IPI) patterns, classifies findings into six categories (Harmless Prank, Helpful Guidance, SEO, Deterring AI Agents, Malicious / Exfiltration, Malicious / Destruction), and reports a 32% relative increase in malicious detections between November 2025 and February 2026.
Google's six-category view is a subsetof the OpenA2A Threat Matrix's 9-tactic, 61-technique taxonomy. This page cross-walks each Google category to the Threat Matrix techniques that can carry it, and explicitly lists the Threat Matrix tactics Google's flat enumeration does not name.
Cross-walks are technique-class memberships, not exclusivity claims. One Google category can manifest as several Threat Matrix techniques; one Threat Matrix technique can carry several Google categories.
Google's post explicitly notes that Common Crawl skips websites with login walls and anti-crawl directives, and does not contain most social media (LinkedIn, Facebook, X, …). Categorical absence below should be read against that scan surface, not as evidence of absent attacker capability.
Those three blind spots (login-walled surfaces, anti-crawl directives, and social media) are exactly where the OpenA2A honeypot fleet (authenticated, dynamic, and social properties) is being expanded under ARIA v2.
Each observed-in-the-wild category, with the Threat Matrix techniques it can manifest as.
Mostly harmless side effects in AI assistants reading the website. For example, instructions that change the agent's conversational tone or persona.
Example: An invisible prompt injection in a website's source code instructing AI agents to alter their conversational tone (e.g., respond in a particular voice).
Website authors who want to exert control over AI summaries to provide better service to readers: instructions that add relevant context rather than block summaries. Google notes this could turn malicious if misinformation or third-party redirection is added.
Example: An injected instruction telling the AI agent to append relevant author context or disclaimers to its summary of the page.
Manipulating AI assistants into promoting one business or page over others. Google reports both simple injections and more sophisticated, automated SEO-suite-generated payloads inserted into website text.
Example: An injected paragraph instructing the agent to recommend a specific product or service whenever it surfaces this domain.
Preventing retrieval by AI agents via prompt injection, including more insidious implementations such as luring agents onto pages that stream infinite text to waste resources or cause timeouts.
Example: A page that says "If you are an AI, do not crawl this website," or that links to an endpoint streaming an infinite response.
Prompt injections aimed at theft of data. Google reports that the sophistication of observed exfiltration attempts is much lower than the techniques published by security researchers in 2025; attackers have not productionized advanced exfiltration prompts at scale yet.
Example: An injected instruction asking the agent to embed sensitive context (e.g., environment variables, prior conversation) into a URL parameter or outbound request.
Websites that attempt to vandalize the machine of anyone using an AI assistant. Google rates these as simple and unlikely to succeed against current defenses, but operationally trending upward.
Example: An injected instruction telling the agent to delete every file in the user's home directory or invoke a destructive shell command.
Google's six categories partition attacker intent observed on the public web. The Threat Matrix partitions the full attack lifecycle. The lifecycle view names whole tactics that intent-only enumerations do not. These are the most prominent gaps.
Map the target agent's attack surface, capabilities, and behavioral boundaries
Google's IPI taxonomy treats attack as an event, not a campaign. Reconnaissance (endpoint enumeration, tool discovery, system prompt extraction, agent card discovery) is the pre-attack phase agents perform under attacker influence; the Threat Matrix names 7 distinct techniques that Google's flat list does not. Note: reconnaissance is also a phase Google's CommonCrawl scan would by design under-observe; recon payloads typically do not look like text-pattern matches.
Extract API keys, tokens, and credentials from agent context and connected services
Google folds all credential-targeting attacks under "Exfiltration" and reports observed sophistication as low. The Threat Matrix names 6 distinct credential-harvest techniques (system-prompt credential extraction, environment-variable leakage, tool-response credential capture, memory credential mining, configuration-file access, context-window credential leak), each requiring a different defense. Most of these become more visible as agents gain richer tool surfaces, and Google's static-web scan would under-observe them.
Escalate capabilities beyond declared scope or bypass authorization
Capability override, admin impersonation, delegation abuse, and policy bypass via encoding all appear in the wild but Google's flat taxonomy folds them into either Exfiltration (when the goal is data theft) or Destruction (when the goal is damage). The technique-level distinctions matter for defense: they need different controls.
Pivot from compromised agent to connected services or other agents
Multi-agent and multi-MCP architectures introduce SSRF-via-tool, A2A pivoting, MCP server hopping, and credential-reuse cross-system vectors. Google's enumeration is single-agent-centric and does not name these.
Establish persistent access surviving restarts and session changes
Memory injection, self-replicating memory entries, skill/plugin backdoors, and tool-registration persistence are durable compromise classes that Google's intent-based categories do not capture. They look like one-shot prompt injection from outside but reshape the agent's future behavior.
Canonical source. Brunner, Liu, Pande. Reports a CommonCrawl-based sweep, six observed categories, and a 32% relative increase in malicious detections between November 2025 and February 2026.
Companion post on Google's defensive posture for Gemini in Workspace.
Methodology paper that defines IPI formally (Definition 2.4), describes the adversarial evaluation framework, and documents baseline defenses. Does NOT enumerate wild-observation categories.