Indirect prompt injection has moved from academic exercise to real-world threat. For two years, security researchers demonstrated the attack in controlled lab settings. Late 2025 marked the shift: production systems began experiencing actual exploits.

The attack works like this. A user feeds an LLM a prompt that includes untrusted data, often from external sources like websites, PDFs, or database records. An attacker embeds hidden instructions within that data. The LLM processes the injected instructions as legitimate commands, bypassing the original intent of the user's prompt. Unlike direct prompt injection, which requires the attacker to interact with the system directly, indirect injection leverages third-party content that the LLM trusts by default.

OWASP ranked prompt injection as the top vulnerability in its new LLM application security framework. NIST identified indirect injection specifically as generative AI's greatest security challenge. This wasn't hyperbole. Real systems handling customer data, financial transactions, and sensitive documents all faced exposure.

The threat escalates when LLMs operate as autonomous agents. An AI system that reads customer emails, retrieves files from cloud storage, or queries databases creates multiple attack surfaces. Each integration point becomes an injection vector. A malicious PDF uploaded to a customer support system can hijack the AI's behavior. A compromised website scraped by a research tool can misdirect an LLM's analysis.

Defense requires architectural changes, not just better prompts. Organizations must treat external data sources as untrusted by default. Sandboxing LLM outputs, limiting tool access, and validating data integrity all matter. Input filtering alone fails because the malicious content often appears legitimate to standard security checks.

The shift from theory to practice triggered rapid industry response. Teams began implementing input validation at data boundaries, restricting model capabilities in high-stakes contexts, and monitoring for behavioral anomalies.