Practical guides to protect yourself, your family, and your business from AI-driven scams, deepfakes, and emerging cyber threats.
In May 2026, a security team handed an AI agent one of the most ordinary jobs on the web: summarize this page. The agent never produced a summary. It opened a form on a site it was never meant to touch, typed out the entire conversation it had been having with its user, and submitted that record to a server the researchers controlled.
The team was the security and privacy group at Brave, the browser maker, and the page was their own trap. Their report, published on June 8, 2026, makes a point far larger than one rigged demo. The weakness they exercised has no patch, lives in the design of the technology rather than in any single product, and does not care whether the AI runs in a distant data center or entirely on your own laptop.
Brave's team tested two products that sit at opposite ends of how AI gets deployed. One was Mozilla Tabstack, a cloud service that lets AI agents browse and act on the web on a user's behalf. The other was Cotypist, an autocomplete tool for macOS whose model runs entirely on the device, with nothing sent to the cloud. Both were told about the flaws before publication, and Mozilla had shipped a fix by June 1, 2026.
The attack is called indirect prompt injection: rather than typing malicious commands into the AI, the attacker hides them inside content the AI will later read as part of a normal task. On the Tabstack page, the researchers planted instructions in invisible text, white letters on a white background and zero-width characters, unreadable to a person but sitting in the page's text layer where the agent reads. When the agent ingested the page to summarize it, it could not separate the user's real instruction from the page's hidden one. The two shared a single space in the model's context window (the working memory where an AI holds everything it is currently reading), and the model has no reliable way to mark which text it should trust. Its own logs show it believed it was simply continuing the assigned job.
The concrete result was a silent leak. A routine summarize request drained the agent's whole conversation to an outside server with nothing shown to the user, and on the local side a private credential was offered up as the next word to type. The part that should reach your own planning is the assumption it breaks. Many teams adopt on-device or self-hosted AI precisely because they believe keeping the model in-house keeps the data safe. This research shows that belief does not hold: a local model that reads untrusted content is exposed in the same structural way as a cloud one, because the problem is the shared context window, not the network path. The deeper shift worth raising at your next architecture review is that this is not a bug waiting for a fix. The model follows instructions because following instructions is what makes it useful, and that same disposition is the attack surface. OpenAI conceded as much in December 2025, when it said prompt injection, like ordinary online scams, is unlikely to ever be fully solved. The work moves from spotting a bad prompt to designing systems that assume one will get through.
The demonstration looks like a parlor trick, an invisible sentence on a web page that hijacks a helpful assistant. The lesson underneath is harder to wave away. As organizations wire AI agents into email, files, and internal tools, every one of those agents reads content that someone else can write, and it cannot reliably tell an instruction from a fact. Buying a model that runs on your own hardware does not change that. Bring one question to the meeting where you approve your next AI assistant. If a web page or a document it reads tomorrow held a hidden order to leak what it knows, is there anything in your setup that would stop it before it obeyed?


