Jul 16 / Latest News

AI Agents Exposed to New Data‑Injection Attack

A new study from researchers at Seoul National University, the University of Illinois Urbana‑Champaign, and Largosoft reveals that AI agents can be manipulated not by hijacking their instructions, but by corrupting the trusted data they rely on.

The technique, called agent data injection (ADI), disguises malicious input as legitimate fields such as sender names, button IDs, or tool‑execution records. Because agents interpret structure probabilistically rather than through strict parsing, attackers can insert punctuation‑like characters that models misread as real boundaries, creating fake elements the agent believes are genuine.

Researchers demonstrated working attacks on web agents, coding assistants, and pull‑request reviewers. In one case, a planted product review caused an agent to click “Buy Now” instead of “Read More.” In another, a forged GitHub comment impersonated a maintainer, leading the agent to run an attacker’s command. A malicious pull request could even fabricate a clean tool‑check result, convincing the agent to merge harmful code.

All major models tested were vulnerable, with success rates reaching up to 43% on structured data and even higher on webpages. Traditional prompt‑injection defenses blocked instruction‑smuggling almost entirely but failed against ADI, which operates on trusted data rather than commands. Some defenses, such as randomizing element IDs or tagging fields with unpredictable identifiers, reduced the attack’s effectiveness, while heavier provenance tracking stopped it completely but severely degraded agent performance.

Vendors were notified and acknowledged the findings, though no fixes have been announced. The researchers note that attackers can often recover an agent’s internal data format, even for cloud services, using jailbreak techniques or by analyzing smaller models that share the same structure. They argue that until agents clearly separate trusted internal data from untrusted external content, falsifying who said what—or what the agent believes it already did—will remain a viable attack path.