Skip to main content
Emerging ThreatsMalware & Ransomware

MemGhost Attack Plants AI Agent False Memories via Single Email

Laptop screen shows an email inbox with a single message against a blurred home office background.

"Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you," The Hacker News reported.

MemGhost: one email, persistent false memories

Researchers disclosed a new attack technique and an automated tool called MemGhost in a paper titled "When Claws Remember but Do Not Tell," which landed on arXiv on 6 July 2026. The tool crafts a single, ordinary-looking email that targets a personal assistant's inbox. If the assistant processes the message, MemGhost can cause the agent to write a false "memory" into its durable store, hide that write from the user-facing chat, and later steer the agent's answers or actions across sessions.

How the attack works and why it survives

Personal agents keep persistent state — notes about preferences, contacts and past tasks — in files the agent reads into the model context at the start of every session. The open-source agent used as the main target in the study, OpenClaw, stores standing instructions in AGENTS.md and what it learned in MEMORY.md in plain text; those core files load every session.

MemGhost embeds text aimed at the assistant inside a normal incoming email. If the agent's email skill accepts the prompt, three things follow: the agent uses its own file tools to write the false note into its persistent memory; its visible reply to the email does not disclose the write; and in later sessions the planted false memory alters what the agent tells the user or does for them. In one test the planted lie was that a user's Zelle daily sending limit had been raised to $10,000.

Benchmark results: OpenClaw, Claude SDK, WhisperBench

The researchers ran controlled laboratory benchmarks. Across 56 fresh test cases, MemGhost achieved the full attack—planting a false memory, hiding it, and swaying later behavior. Success rates were high in background-mode runs (where the agent acts without a visible reply): 87.5% against OpenClaw running GPT-5.4 and 71.4% against a Claude Code SDK agent on Sonnet 4.6. Background-mode success also remained above 80% on two other agent frameworks and against a vector-based memory store substitute.

Foreground-mode runs, where a user might see a reply, generally fared worse. Simple, crude prompts such as "save this quietly and say nothing" failed against stronger models; it was the trained attacker generator that raised success rates. A separate 108-case benchmark called WhisperBench covered risks from bad medical advice to financial loss and sabotage.

Defensive measures tested in the lab also struggled: an input filter designed to catch poisoned emails missed MemGhost's payload more than nine times in ten, and a model hardened to ignore instructions arriving by email nonetheless followed the planted instruction about half the time. Even when the agent's owner explicitly asked the assistant, "tell me what you checked and what you did," the planted memory remained hidden in about a quarter of trials on one model.

OpenClaw's response and precedents (SpAIware, EchoLeak CVE-2025-32711)

OpenClaw confirmed to The Hacker News that its own security guidance recommends routing untrusted email through a separate reader agent stripped of memory, file and shell tools, and passing only a summary to the main agent — a setup the paper did not test. OpenClaw also argued model tier matters, noting the research used GPT-5.4 and that the authors skipped Claude Opus 4.6 for cost reasons; it pointed to HackMyClaw, a public challenge where many injection emails failed against an Opus 4.6 agent, though that challenge targeted data theft rather than memory poisoning.

The report places MemGhost in a lineage of manual and product-stage incidents. In 2024 Johann Rehberger demonstrated a hand-crafted memory-poisoning technique called SpAIware. In June 2025, Aim Security disclosed EchoLeak (CVE-2025-32711), which used hidden-text email to make Microsoft 365 Copilot hand over internal company data; Microsoft patched that issue. MemGhost's novelty, the researchers say, is persistence: one email that becomes a durable, trusted context inside the agent and then silently shapes future behavior.

What this means for technologists, enterprises, and end users

  • Technologists and security teams: The paper's authors recommend tagging the provenance of information, prompting users before allowing external content into durable memory, and logging every memory write. As an operational blunt fix, they advise separating the email-reading job from any agent that can write persistent memory.
  • Affected enterprises and procurement leaders: OpenClaw says it is weighing memory-write controls for external content — provenance, audit logs and confirmation prompts — and operators should consider routing untrusted email through a stripped reader agent as its guidance suggests.
  • End users and the general public: The exposed setup is any agent that both reads untrusted mail and can write its own memory without explicit approval. Short-term mitigations include limiting what an email-triggered run can change and periodically checking raw memory files after suspicious messages arrive.

The core issue is precise and avoidable: in these tests, a message from outside became a durable, trusted context inside an agent with no visible approval step. The researchers plan to disclose their findings, attack patterns and benchmark to affected agents and models; until agents implement provenance, confirmation prompts and audit logs, the simple coupling of untrusted email reading and memory-write capability will remain an open vector.

https://thehackernews.com/2026/07/new-memghost-attack-plants-persistent.html