OpenAI shipped browser agents with a 23% prompt-injection success rate after mitigations, while Agent Security Bench reported 84.30% attack success rates across mixed attacks. These vulnerabilities allow hostile content to manipulate tool calls, repository writes, and memory updates with full user permissions, creating dangerous security vectors in AI systems.

Browser agents widened the attack surface, making prompt injection a deployment problem. Microsoft documented specific attack mechanics including HTML image tags that leak data and hidden channels. Tool poisoning attacks, like those disclosed by Invariant Labs, hide malicious instructions in tool descriptions visible to models but not users, expanding threats beyond the chat window.

Memory poisoning persists beyond sessions, corrupting long-term memory and influencing future responses. The industry now treats prompt injection alongside SQL injection and XSS as standard security threats. Connector setup represents supply-chain security where version pinning, scoping credentials, and explicit policies are essential defenses against these evolving attacks that continue to compromise AI systems.