Skip to main content
Emerging ThreatsMalware & Ransomware

AI Agents Vulnerable to Data Injection Attacks

Laptop screen displays structured data on a desk in a blurred university setting.

Across six models the researchers tested, the new technique succeeded on structured data 31% to 43% of the time and, on web pages, it worked in experiments ranging from roughly one-third of attempts to every attempt on some targets.

What agent data injection (ADI) does and who published it

Researchers from Seoul National University, the University of Illinois Urbana-Champaign, and Largosoft posted a paper on July 6 describing a new class of attack they call agent data injection, or ADI. Unlike classic prompt- or instruction-injection attacks that try to smuggle an order into an agent’s input, ADI corrupts the little facts an agent quietly trusts — the sender name on an email, the ID of a button on a page, or a recorded tool result — and lets the agent carry on with the authorized task using those planted falsehoods.

Probabilistic delimiter injection: how a few characters change the model’s view

The technique behind ADI is what the authors call probabilistic delimiter injection. Agents wrap incoming pieces of data in punctuation that marks boundaries — quotes, braces, tags, brackets, line breaks — and classical software parses those strictly. Language models do not: they treat punctuation as probabilistic cues. An attacker can sprinkle punctuation-like characters into an untrusted field and the model will often interpret them as real structure that was never present.

The researchers note the fake punctuation does not have to be syntactically correct. An escaped quote (\\"), a curly quote, even a dollar sign, passed for the real thing in tests. A strict parser would treat those characters as ordinary text; a language model will often read them as delimiters and thus assign the wrong provenance to adjacent data.

Concrete demonstrations against web agents and coding assistants

The team built three proof-of-concept attacks against real, shipping tools:

  • On web agents (Claude in Chrome, Google’s Antigravity, and Nanobrowser), a planted product review reused the ID of a real button so the agent meant to click “Read More” would click “Buy Now” instead — placing an order the user never intended. Because some tools number page elements in order, an attacker can work out an ID ahead of time.
  • On coding assistants (Claude Code, OpenAI’s Codex, and Google’s Gemini CLI), a GitHub comment forged its author line to look like the project maintainer wrote it; when told to “apply the maintainer’s fix,” the agent ran the attacker’s command locally if the developer approved what appeared to be a routine step.
  • A malicious pull request faked the record of a check the agent never executed. The agent reviewed the fabricated result, judged the code safe, and proceeded to merge it once the developer approved, importing the real malicious code into the project.

Every model tested proved vulnerable: OpenAI’s GPT-5.2 and GPT-5-mini, Anthropic’s Claude Opus 4.5 and Sonnet 4.5, and Google’s Gemini 3 Pro and Flash. Across the six models, structured-data success rates were 31%–43%, and web-page results varied from about a third of attempts to all attempts on some targets.

Defenses tried: random tags, provenance tracking, and the trade-offs

The researchers evaluated common, purpose-built defenses and found a stark split. Classic defenses trained to spot smuggled orders largely blocked instruction-injection attacks to near-zero success, but the same defenses left ADI open — in some tests ADI still succeeded up to 50% of the time.

Two mitigations stood out. ChatGPT’s Atlas browser resisted the click attack by tagging each page element with a random, unguessable ID instead of a simple counter, denying attackers a predictable target. The researchers’ tests showed adding a short random tag to field names roughly halved success rates (from about 49% down to 29%) while keeping agents usable.

A heavier defense that tracked the provenance of every piece of data stopped ADI entirely in the experiments, but it also reduced the agents’ ability to complete ordinary tasks — agents finished only about a third of their normal workload. Stripping punctuation from inputs likewise reduced ADI but broke agents’ ability to read ordinary constructs such as links and file paths. And the authors emphasize that asking users for approval — a step many tools already take before risky actions — provides little help when the displayed reasoning itself is built on fabricated facts.

What this means for OpenAI, Google, Anthropic, and developers

The team reported the research to affected vendors before publishing. Woohyuk Choi told The Hacker News that OpenAI, Google, and Anthropic “have all confirmed the attack is valid,” and that OpenAI and Google requested a copy of the paper; Nanobrowser had not replied as of the paper. Choi added the team has “not been informed of any fix, whether shipped or planned.”

The paper also releases a benchmark and attack code so vendors and defenders can test products against ADI. The authors explain an attacker needs two alignments to succeed: the agent must process content a stranger can edit (a common condition for web and GitHub agents), and the attacker must know the format the agent uses to pack data. They show that format can be recovered for open-source or locally run tools by reading code or reverse-engineering, and that even cloud service formats can be revealed with multi-turn jailbreaks in their experiments. The team warned a shortcut exists: a company’s larger and smaller models tend to share the same format, so an attacker can lift the format from a smaller, easier-to-break model.

Inside an agent’s memory, the name on an email sits right next to the body with nothing to mark what the system vouches for and what a stranger typed. Until agents draw that line between trusted and untrusted fields — by randomizing identifiers, tracking provenance, or other workable measures — a convincing lie about who sent something can be all an attacker needs.

The Hacker News: New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands