New 'Agent Data Injection' Attack Exploits AI Trust in Data Integrity
Researchers have identified a novel attack vector, 'Agent Data Injection' (ADI), that manipulates AI agents by corrupting the data they implicitly trust, leading to unintended actions like unauthorized purchases or command execution.

A new class of attack, dubbed Agent Data Injection (ADI), has been detailed by researchers, targeting the fundamental way AI agents process information. Unlike traditional prompt injection, which attempts to smuggle malicious instructions into an agent's command stream, ADI operates at a more subtle level by corrupting the data that AI agents rely on to perform their tasks. This means an agent might still follow its original instructions, but it will do so based on manipulated facts, leading to potentially disastrous outcomes.
The core of the ADI attack lies in exploiting how AI agents interpret data. Agents process both explicit instructions and the data they gather during operation, such as web page content, emails, or code snippets. While defenses are increasingly adept at spotting smuggled commands within data, ADI targets the smaller, seemingly innocuous pieces of information that agents implicitly trust – like sender names, button IDs, or the record of a previously executed tool step. By subtly altering these trusted data points, attackers can steer the agent's actions without directly overriding its primary task.
Researchers have termed the specific technique behind ADI as "probabilistic delimiter injection." AI agents use punctuation and formatting characters – such as quotes, braces, and line breaks – to delineate different pieces of data. While traditional software parses these delimiters with strict rules, language models interpret them more probabilistically, relying on guesswork. Attackers can leverage this by inserting punctuation-like characters into fields they control. The AI agent may then misinterpret these characters as legitimate delimiters, creating phantom data structures like an extra email entry or a spurious button, even if the injected characters are not perfectly formed.
This attack vector has been demonstrated through several proof-of-concept exploits targeting real-world tools. In one scenario, researchers manipulated product reviews on e-commerce sites, causing AI agents browsing the page to mistakenly click "Buy Now" by reusing the ID of a legitimate button. Another exploit targeted coding assistants, where a forged GitHub comment, appearing to be from a project maintainer, tricked the AI into executing attacker-controlled commands on a developer's machine. A third example involved a malicious pull request that faked a code review status, potentially leading to the injection of malicious code into a project.
Existing security measures, which often prompt users before an agent performs a risky action or display the agent's reasoning, offer limited protection against ADI. The approval prompts typically lack specific details about which element is being acted upon or why, and the reasoning displayed by agents can be based on the attacker's fabricated data, making it appear legitimate to a human observer. The researchers tested six different large language models, including OpenAI's GPT-5 series, Anthropic's Claude series, and Google's Gemini series, finding that ADI succeeded in manipulating structured and webpage data between 31% and 100% of the time, significantly outperforming traditional prompt injection defenses.
While ADI poses a significant threat, certain defenses show promise. One effective mitigation involves assigning random, unpredictable IDs to page elements, preventing attackers from reliably forging matches. Another approach, though less practical due to its impact on agent functionality, involves rigorous data provenance tracking. Stripping out extraneous punctuation also showed some success but risked breaking the agent's ability to parse normal data like links and file paths.
Currently, there are no public reports of ADI being used in the wild. The researchers have responsibly disclosed their findings to the affected vendors, including OpenAI, Google, and Nanobrowser, who have acknowledged the reports. The attack requires specific conditions to be met, including the agent processing user-editable content and the attacker understanding the data format, but its potential to bypass current AI security paradigms makes it a critical area for future research and defense development.