A weekly read of everything that moved in agentic commerce — protocols, payment rails, retailer pilots, regulation. Summarised, sourced, and stitched to what came before.
Security & Risk
4 events tracked
Threat vectors specific to agent-initiated commerce are being measured for the first time in late 2025 and early 2026. Tracked weekly here: published research, vendor disclosures, and incident reports that map the agentic-commerce attack surface.
Anthropic extended Project Glasswing to 150 new organizations in 15+ countries to defend critical infrastructure.
Project Glasswing's initial cohort of roughly 50 partners, granted Claude Mythos Preview access in April 2026, identified more than 10,000 high- or critical-severity security flaws in their codebases. The 150 new organizations span power, water, healthcare, communications, and hardware industries not represented in the first group. Anthropic estimates a major attack on any partner's codebase could affect more than 100 million people. Anthropic also released Claude Security, a product using Claude Opus 4.8 (2026-w22) for codebase scanning and patch suggestions, to complement the restricted-access Mythos Preview. Alongside Glasswing, Anthropic published a separate analysis of 832 banned accounts mapping AI-enabled cyberattack tactics to MITRE ATT&CK; the report found the share of medium-risk or higher threat actors rose from 33% to 56% across two consecutive six-month periods.
Stripe expanded Radar on May 27 to assign bot scores on Checkout, cover all payment methods globally, and block multi-account abuse at AI companies.
Radar's bot score is the first fraud signal published by a major payment processor designed to distinguish authorized AI agents from malicious bots on Stripe Checkout. The expansion covers all globally supported payment methods — bank debits, BNPL, crypto, digital wallets, and real-time payments — connecting network signals across methods: a flagged device fingerprint now blocks across card, wallet, and BNPL in one pass. Stripe reported a 71% reduction in suspected fraud over five months for businesses using Affirm, Cash App, Klarna, and PayPal. The multi-account abuse figure is the first network-level statistic Stripe has published on AI company fraud: more than one in six sign-ups at AI companies on Stripe are linked to multi-account abuse. The launch adds a fraud layer to the agentic-payments infrastructure Stripe released in March and April (2026-w13, 2026-w18).
Empirical study finds 32% rise in malicious injections from Nov 2025 to Feb 2026; payment-fraud payloads targeting agents with PayPal and Stripe capabilities are among the most common.
The Google census is the first quantified, web-scale measurement of in-the-wild AI agent security threats via prompt injection in this archive, providing the empirical complement to Visa PERC's dark-web-mention figures (2025-w47-security-visa-perc-fall-2025-threats). The PayPal and Stripe targeting maps directly to the agent payment stacks built on Mastercard Agent Pay's PayPal integration (2025-w44-payments-mastercard-paypal-integration), Stripe-OpenAI's ACP (2025-w40-payments-stripe-openai-acp-instant-checkout), Stripe's Suite (2025-w50-payments-stripe-agentic-commerce-suite), and the Gemini-Stripe integration (2026-w18-aeo-stripe-google-gemini-checkout). The 32% rise figure documents threat-surface growth across the same months that production agent payments reached near-universal card coverage (2026-w18-payments-mastercard-agent-pay-q1-milestone). Together with the FIDO Alliance Agentic Auth working group (2026-w18-standards-fido-agentic-working-groups), the study anchors the Security lane with measured baselines.
Biannual threats report documents 450%+ increase in dark-web posts mentioning AI agents for fraud and 25% rise in malicious bot transactions targeting merchants.
PERC is Visa's biannual payments-ecosystem risk report, and this edition is the first to make AI agent security and agentic fraud a headline category. The 450% dark-web mention figure and 25% malicious-bot transaction rise quantify the threat surface that Visa's own Trusted Agent Protocol (2025-w42-payments-visa-trusted-agent-protocol) targets. The data is later corroborated structurally by Google's empirical prompt-injection census (2026-w17-security-google-prompt-injection-empirical-study), which finds 15,300 injection instances across 11,700 pages with payment-fraud payloads among the most common. Together the two studies form the only quantified bot-and-injection data in the Security lane of this archive. The report's release a week before Mastercard Agent Pay goes live (2025-w44-payments-mastercard-agent-pay-live-us) marks the moment production agent payments and measured threat data both arrived.
Agentic-commerce security is the discipline of defending transactions where an AI agent — not a human — is the active party. The threat surface inherits classical e-commerce risks (account takeover, payment fraud, social engineering). It adds agent-specific ones too: prompt injection embedded in product descriptions or seller responses, hostile autonomy where an agent is steered into adversarial actions, identity-spoofing of the agent, and authorisation-replay across delegated transactions. Defending it combines three layers: hardened agent runtimes, structured input validation on every tool call, and network-level fraud signals routed through the payment authorisation flow.
Threat vectors specific to agent-initiated commerce are being measured for the first time in late 2025 and early 2026. Visa's PERC Fall 2025 report documented a 450-percent increase in dark-web posts mentioning AI-agent fraud tools. A Google Security Blog study published in April 2026 found 15,300 prompt-injection instances across 11,700 web pages, a 32-percent rise from November 2025 to February 2026. Prompt injection in product descriptions is the leading attack surface identified across both reports — adversarial sellers embed instructions designed to hijack a shopping agent's reasoning at the catalogue layer. OWASP has active working groups on agentic-system threat models. The two published studies represent the first quantitative measurement of prompt injection at commercial scale across retail-facing web content; vendor-side mitigations (input sanitisation, structured tool schemas, sandboxed execution) remain in vendor-specific draft form. This hub tracks the published research, vendor disclosures, and incident reports that map the agentic-commerce attack surface.
What is AI agent security?
AI agent security is the discipline of defending transactions where an AI agent — not a human — is the active party. The threat surface adds three categories to classical e-commerce risk: prompt injection, where adversarial instructions embedded in product descriptions redirect the agent's reasoning; identity spoofing, where an attacker impersonates a legitimate agent; and authorisation replay, where a delegated credential is reused beyond its intended scope.
Visa's PERC Fall 2025 report documented a 450-percent increase in dark-web posts mentioning AI-agent fraud tools. A Google Security Blog study published in April 2026 catalogued 15,300 prompt-injection instances across 11,700 web pages — a 32-percent increase from the November 2025 baseline. Prompt injection in product descriptions is the leading attack vector identified across both reports. OWASP maintains active working groups on agentic-system threat models; vendor-side mitigations remain in vendor-specific draft form as of April 2026.