Full Report
Ask an AI agent to summarize the reviews on a product page, and a single planted review can make it click "Buy Now" instead. Ask a coding assistant to apply a maintainer's fix from a GitHub thread, and a fake comment can make it run a stranger's command on your computer. Neither trick hijacks the agent's task. Each one just corrupts the facts it trusts and lets it carry on with the job you
Analysis Summary
# Tool/Technique: Agent Data Injection (ADI)
## Overview
Agent Data Injection (ADI) is a sophisticated class of attack targeting autonomous AI agents. Unlike "instruction injection," which attempts to hijack the agent via direct commands, ADI manipulates the metadata and structured fields (e.g., sender names, button IDs, tool logs) that an agent trusts. By corrupting the "facts" the agent uses to perform its task, the attacker can trick the agent into executing unauthorized actions—such as making purchases or running malicious code—while the agent believes it is correctly fulfilling a legitimate user request.
## Technical Details
- **Type**: Attack Technique (Data Poisoning / Indirect Prompt Injection)
- **Platform**: AI Agents, Web-based AI Browsers (e.g., Claude in Chrome, Nanobrowser), Coding Assistants (e.g., Claude Code, GitHub Copilot/Codex).
- **Capabilities**: Bypassing prompt injection filters, impersonating trusted entities, forging execution history, and triggering unauthorized UI actions.
- **First Seen**: July 2026 (Research published by Seoul National University, UIUC, and Largosoft).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566 - Phishing]: Utilizing malicious comments or reviews to deliver the injection.
- **[TA0005 - Defense Evasion]**
- [T1559 - Inter-Process Communication]: Exploiting how models interpret data delimiters to bypass security filters.
- **[TA0002 - Execution]**
- [T1204.003 - User Execution: Malicious File]: Tricking a developer into approving a command generated by the AI agent based on forged data.
## Functionality
### Core Capabilities
- **Probabilistic Delimiter Injection**: Exploits the fact that LLMs interpret data boundaries (quotes, braces, brackets) based on patterns and "guesswork" rather than strict parsing rules. Attackers insert "punctuation-like" characters to create fake structures.
- **Identity Forgery**: Forging metadata fields, such as an email sender or a GitHub maintainer's name, to grant the injected content "trusted" status.
- **Action Redirection**: On web pages, remapping element IDs so an agent's intent to click one button (e.g., "Read More") results in clicking another (e.g., "Buy Now").
### Advanced Features
- **Execution History Faking**: Forging log results of previous tools (e.g., a "clean" security scan) to convince an agent that malicious code has already been vetted and is safe to merge or execute.
- **Cross-Model Vulnerability**: Effective against major frontier models including GPT-5 series, Claude 4.5 series, and Gemini 3 Pro/Flash.
## Indicators of Compromise
- **Behavioral Indicators**:
- AI agents requesting approval for actions that do not match the visible context (e.g., asking to run a command based on a "maintainer's" suggestion that isn't actually from the maintainer).
- Unintended automated purchases or web form submissions.
- **Data Indicators**: Presence of non-standard punctuation or escaped characters (e.g., `\"`, `“`, `$`) in data fields like usernames, product reviews, or pull request comments.
## Associated Threat Actors
- Research-driven at this stage; no specific APT groups identified in the wild, though the technique is relevant to actors targeting **Software Supply Chains** and **Enterprise AI Integrations**.
## Detection Methods
- **Behavioral Detection**: Monitoring for "Identity Mismatch" where the LLM's perceived context (who sent a message) contradicts the verified system metadata.
- **Input Validation**: Implementing strict, non-probabilistic parsers to sanitize data before it is fed into the LLM’s context window.
- **Anomalous Pattern Detection**: Identifying unusual sequences of delimiter-like characters in user-generated content (e.g., reviews or comments).
## Mitigation Strategies
- **Human-in-the-Loop (Enhanced)**: Ensuring approval prompts show the *full context* of an action (e.g., "Run command: [full command] from untrusted source: [source]") rather than generic confirmation.
- **Structural Isolation**: Using unique or randomized identifiers for UI elements that cannot be guessed by an attacker.
- **Multi-Factor Trust**: Requiring cryptographic verification (e.g., signed commits) for any data that the agent uses to justify an "Execution" action.
## Related Tools/Techniques
- **Indirect Prompt Injection**: The broader category of feeding malicious instructions through third-party data.
- **Adversarial Machine Learning**: General techniques used to fool model logic.
- **LLM Jacking**: Taking control of LLM resources for unauthorized use.