VectorSmuggle Framework Exposes Steganographic Data Exfiltration via AI Vector Embeddings
Researchers have released VectorSmuggle, a framework demonstrating how attackers can hide data inside vector embeddings used in enterprise RAG pipelines, evading existing DLP tools.
Enterprise adoption of retrieval-augmented generation (RAG) has moved sensitive corporate content into a new storage format that existing security tools cannot inspect. Companies deploying internal AI assistants convert documents into high-dimensional numerical vectors and ship them to embedding services and vector databases over ordinary HTTPS connections. Data loss prevention products scan documents and network traffic, but they cannot read these vectors.
A research framework called VectorSmuggle, released by Jascha Wanger of ThirdKey under the Apache 2.0 license, demonstrates what an attacker can do with that gap. The project pairs an empirical study of steganographic exfiltration techniques against vector embeddings with a proposed cryptographic defense called VectorPin.
VectorSmuggle catalogs six ways an attacker with access to an ingestion pipeline could hide data inside embeddings. Some methods add small amounts of noise to each vector. Others rotate, rescale, or shift them. One technique splits content across multiple embedding models so each individual vector store only sees a fragment. The perturbed vectors still return the right documents when someone runs a legitimate search, but they also carry information the attacker wants to smuggle out.
The companion preprint tested these techniques against the OpenAI text-embedding-3-large model and four open models from Nomic, EmbeddingGemma, Snowflake Arctic, and MXBai. The corpus testing spans a synthetic personally identifiable information set, the BEIR medical research corpus NFCorpus, and a Quora question subset, totaling more than 26,000 chunks of content.
The findings split along a line that matters for defenders. Noise, scaling, and offset techniques shift the statistical distribution of the embeddings enough that off-the-shelf anomaly detectors catch them reliably. Rotation does something different. Because rotating a vector preserves its mathematical relationships with other vectors, the same detectors miss it across every model and corpus combination the researchers tested. At the channel's theoretical ceiling, a working encoder built on rotation can move roughly 1,920 bytes of hidden payload per vector at zero error rate.
The payload survives passage through the popular vector databases security teams already use, including FAISS, Chroma, and Qdrant in standard and scalar-quantized configurations. When researchers gave attackers full knowledge of the defending anomaly detectors, the attackers could evade detection entirely. Statistical detection is useful as a first filter but does not hold up as a primary control.
Wanger frames the deal organizations are making when they approve internal AI assistants in stark terms. "In exchange for productivity gains, the company agrees to convert its sensitive documents into a new file format and ship them to a service nobody on the security team has visibility into. That new file format is called a vector embedding. Existing DLP tools cannot read it. Existing egress monitoring cannot interpret it." He says VectorSmuggle shows that "an attacker with insider access, or a compromised RAG pipeline, can hide arbitrary data inside those vectors using techniques borrowed from steganography."
The repository also includes a companion defense called VectorPin. It cryptographically signs each embedding when it is created so that any later modification breaks the signature. If an attacker perturbs a vector to hide data inside it, verification fails and the tampered embedding gets flagged. Reference implementations are available in Python and Rust.
Wanger sees the work as part of a broader investigation. "Almost all current AI security work is happening at the model layer. Prompt injection, jailbreaks, output filtering, alignment. That is the visible surface, and it is where the conference talks and the funding go. The infrastructure layer underneath, the embeddings, the vector stores, the tool contracts, the agent identity, has been largely treated as plumbing. Plumbing is exactly the place attackers go when the front door is heavily defended." He predicts the next several years of enterprise AI security incidents will come from this layer.