惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
Netflix TechBlog - Medium
罗磊的独立博客
H
Help Net Security
I
Intezer
G
Google Developers Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
T
Troy Hunt's Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
U
Unit 42
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
N
News and Events Feed by Topic
J
Java Code Geeks
S
Security Affairs
T
The Blog of Author Tim Ferriss
Recent Commits to openclaw:main
Recent Commits to openclaw:main
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
D
Docker
The GitHub Blog
The GitHub Blog
F
Full Disclosure
N
News and Events Feed by Topic
Webroot Blog
Webroot Blog
S
Security @ Cisco Blogs
腾讯CDC
人人都是产品经理
人人都是产品经理
M
MIT News - Artificial intelligence
Blog — PlanetScale
Blog — PlanetScale
T
Threatpost
D
DataBreaches.Net
Recent Announcements
Recent Announcements
博客园 - 三生石上(FineUI控件)
MongoDB | Blog
MongoDB | Blog
博客园 - 【当耐特】
L
LINUX DO - 最新话题
Google Online Security Blog
Google Online Security Blog
S
Schneier on Security
S
Securelist
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Help Net Security
Help Net Security
P
Proofpoint News Feed
Project Zero
Project Zero
S
SegmentFault 最新的问题
H
Hackread – Cybersecurity News, Data Breaches, AI and More
MyScale Blog
MyScale Blog
Google DeepMind News
Google DeepMind News
宝玉的分享
宝玉的分享
Y
Y Combinator Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 叶小钗

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
The web is now weaponized against your AI agents
Anil Prasad · 2026-05-09 · via DEV Community

Google dropped a security bomb last week.

Their threat intelligence team scanned 2-3 billion web pages per month looking for indirect prompt injection attacks targeting enterprise AI agents. They found a 32% increase in malicious attempts between November 2025 and February 2026.

The open web is now an attack surface for production AI.

This is not speculation. This is documented evidence of active attacks deployed at scale. Hidden instructions embedded in public HTML. Invisible to humans. Visible to AI agents. Real payloads designed to hijack enterprise systems the moment an agent scrapes the page.

If you have AI agents reading the open web on behalf of your organization, your security model just became obsolete.

Monday: Hidden instructions at scale

Google researchers documented the attack patterns deployed across billions of public web pages. The techniques are simple and effective:

Zero font size text: Instructions rendered in font-size: 0. Invisible to humans, fully visible to AI parsing HTML

Opacity manipulation: Commands hidden using CSS opacity: 0. Text exists but appears transparent

Off-screen positioning: Instructions placed outside viewport using negative coordinates

JavaScript dynamic execution: Payloads injected after page load via client-side JS

URL fragment injection: Commands embedded after the # symbol in URLs

These are not sophisticated zero-days requiring nation-state capabilities. These are techniques any web developer knows. The barrier to entry is near zero.

Real payloads found in the wild:

  • Fully specified PayPal transaction instructions
  • Stripe donation redirects with persuasion amplifier keywords
  • Data exfiltration commands targeting enterprise agents

This is production infrastructure under active attack.

Source: Google Threat Intelligence, April 23, 2026

Tuesday: The exploit window collapsed

Black Hat Asia 2026 data from RunSybil: attack window compressed from 5 months (2023) to 10 hours (2026).

Why? Frontier LLMs now do offensive security work autonomously.

2023 workflow:

  1. Security researcher finds vulnerability
  2. Documents it technically
  3. Writes POC exploit code
  4. Tests against targets
  5. Iterates based on results
  6. Publishes working exploit

Timeline: months

2026 workflow:

  1. Describe bug to LLM
  2. Model generates exploit code
  3. Test in real-time
  4. Iterate with AI

Timeline: hours

Meanwhile, 57% of organizations have AI agents in production right now. Most were architected before this research dropped. The threat model changed faster than the deployment cycle.

Wednesday: The sanitizer model pattern

Two models. One reads the web. The other does the work.

This is the architecture that actually defends against indirect prompt injection.

Architecture

Deploy a small isolated model with zero system permissions. It reads untrusted web content, filters instructions, validates structure. If it gets compromised by a prompt injection, it lacks the permissions to cause damage.

The production agent never touches raw web input directly. It only processes data that passed through the sanitizer layer.

Key principle: Trust boundary between models, not just at network edge.

The sanitizer has:

  • ❌ No write access
  • ❌ No email permissions
  • ❌ No payment capabilities
  • ❌ No database credentials
  • ✅ Can read and filter only

If compromised by prompt injection, worst case is tainted text reaching production layer where business logic validation applies.

Implementation

This is not theoretical. I've implemented this in:

  • ARGUS: Dual model verification by default
  • GenomixIQ: Clinical genomics data ingestion
  • ARIA RCM: Healthcare revenue cycle workflows

All production systems in regulated environments.

Thursday: Agent firewalls are the next layer

Agent firewalls enforce security policies traditional infrastructure can't.

What they block

  1. Instruction injection: Override commands
  2. Credential exfiltration: Data to external endpoints
  3. Privilege escalation: Unauthorized tool calls
  4. Decision manipulation: Logic chain redirects

Five-layer architecture

Layer 1: Input validation

  • Markdown sanitization
  • Suspicious URL redaction
  • Pattern matching for attack signatures

Layer 2: Instruction detection

  • ML models trained on override attempts
  • Recognizes semantic patterns (role reversals, system prompt refs)

Layer 3: Permission checks

  • Compartmentalized tool authorization
  • Research agents: read only
  • Write agents: database access, no email
  • Email agents: no payment processing

Layer 4: Decision logging

  • Full audit trails with context
  • Source data tracking
  • Reasoning chain capture
  • Forensic reconstruction capability

Layer 5: Human confirmation gates

  • Financial transactions require approval
  • Data deletion needs review
  • Credential changes trigger verification

Zero trust for agents

Never trust input. Assume web content hostile. Verify every action. Log decision lineage. Compartmentalize tools. Human in loop for high stakes.

Friday: Five questions before deployment

Does your sanitizer have zero system permissions?

If your sanitizer can write to databases or send emails, it's not a sanitizer. It's a production agent reading untrusted input. When compromised, attackers gain those capabilities.

Are tool permissions compartmentalized by role?

Monolithic access = single compromised agent exposes entire system. Implement RBAC for agents.

Can you reconstruct every decision from logs?

If compliance asks why an agent made a recommendation 6 months ago, can you trace to exact data sources and reasoning steps?

Does human confirmation trigger for financial actions?

Agents processing payments without approval = automated embezzlement risk. Confirmation gates are not optional.

Have you tested injection attacks?

No red team testing = you don't know if defenses work. Run adversarial testing continuously.


The 86-89% that fail discover these requirements 6 weeks before go-live when compliance asks.

The 14% that succeed build them day one.

What this means for your systems

Security architecture requirements:

Dual model verification - Sanitizer + production agent separation

Compartmentalized permissions - Role-based tool access

Decision lineage tracking - Full audit trails

Human confirmation gates - Required for high-stakes actions

Continuous injection testing - Red team + automated

Not optional enhancements. Production requirements.

Resources

AI Aether: Free agent security readiness assessment (30 min, 30 questions)

ARGUS: Dual model verification, available on PyPI/GitHub

GenomixIQ: Clinical genomics with FHIR R4 interoperability

ARIA RCM: Healthcare revenue cycle with HIPAA compliance

All production-grade. No pilots. No POCs. Systems that ship and scale.


Years production AI taught one lesson

The teams that succeed build governance before deployment, not after compliance review.

RCMTech: $340M measurable improvements, 89 days integration, zero clinical data loss

GeneticsTech: 99.97% uptime during 50TB migration, FHIR R4 compliance throughout

EnergyTech: 23→81% AI adoption among 20-year veteran operators

HealthTech: Petabyte-scale platforms, every decision traceable


Anil Prasad is Founder of Ambharii Technologies and Head of Engineering & Product at EnergyTech.

28 years building production AI in regulated environments across Fortune 100 companies. Currently building agent security infrastructure for enterprise AI: dual-model verification, compartmentalized permissions, and audit trail architecture for autonomous systems.

Connect: LinkedIn | Website | GitHub

Next week: Production deployment patterns, compliance architecture, audit trail infrastructure.

AgentSecurity #EnterpriseAI #HumanWritten #ExpertiseFromField