Agent Data Injection (ADI): A New Threat Vector for AI Agents
Researchers have unveiled 'Agent Data Injection' (ADI), a novel attack that bypasses traditional prompt injection defenses by manipulating the underlying data structures AI agents trust. This allows attackers to subtly corrupt facts an agent relies on, leading to unintended actions like unauthorized purchases or execution of malicious code, even when the agent's core task remains unchanged.
A new class of attack, dubbed **Agent Data Injection** (ADI), has been detailed in a paper by researchers from Seoul National University, the University of Illinois Urbana-Champaign, and Largosoft. This method allows attackers to corrupt the foundational data an AI agent trusts, leading it to perform actions based on manipulated information rather than direct instruction hijacking.
Traditional prompt injection attempts to smuggle direct commands into an agent's data input. Modern defenses are increasingly adept at identifying and blocking these 'instruction injection' attempts. ADI, however, operates a layer deeper, targeting the small, often overlooked facts that agents implicitly trust, such as a sender's name or a button's ID.
### Probabilistic;
The Core Method
The technique behind ADI is called **probabilistic;
AI agents interpret data by recognizing delimiters β punctuation marks like quotes, braces, or line breaks that separate distinct pieces of information. While conventional programs parse these strictly, language models interpret them probabilistically.
Attackers exploit this by embedding punctuation-like characters into fields they control. The language model often misinterprets these as legitimate structural delimiters, fabricating extra data fields such as an additional email, a phantom button, or a fake tool result. Notably, the fake punctuation doesn't even need to be syntactically correct; characters like escaped quotes (`\"`), curly quotes, or even dollar signs have successfully fooled models into perceiving new structures.

### Real-World Proof-of-Concept Attacks
The researchers demonstrated three successful ADI attacks against widely used AI tools:
* **Web Agents:** On tools like **Claude** in Chrome, **Google's Antigravity**, and **Nanobrowser**, a malicious product review containing a forged button ID could trick the agent into clicking 'Buy Now' instead of 'Read More,' leading to an unauthorized purchase.
* **Coding Assistants:** Against **Claude Code**, **OpenAI's Codex**, and **Google's Gemini CLI**, a crafted GitHub comment with a spoofed author line, appearing to be from a project maintainer, could cause the agent to execute an attacker's command on a developer's machine if approved.
* **Malicious Pull Request:** An attacker could inject a fake record of a successful check into an agent's history. The agent would then review this fabricated result, deem the code safe, and proceed to merge the genuinely malicious code into the project upon developer approval.
Even with common safeguards like user confirmation prompts, the efficacy of ADI remains high. The prompts often lack sufficient context, displaying only an intent to click or run a command, without revealing the underlying, compromised data. The agent's reasoning, based on false facts, also appears legitimate to a user.
All models tested, including **OpenAI's GPT-5.2** and **GPT-5-mini**, **Anthropic's Claude Opus 4.5** and **Sonnet 4.5**, and **Google's Gemini 3 Pro** and **Flash**, proved vulnerable. Success rates ranged from 31% to 43% on structured data, and up to 100% on webpage data. Against defenses specifically designed for instruction injection, ADI still succeeded up to 50% of the time, highlighting a significant blind spot.
### Mitigations and Future Outlook
Not all systems were equally vulnerable. **ChatGPT's Atlas browser** resisted the click attack by assigning random, unguessable IDs to page elements, preventing attackers from predicting and forging them. The researchers found that adding short, random tags to field names could halve ADI's success rate, from approximately 49% to 29%, without significantly impairing agent utility.
More robust defenses, such as comprehensive data provenance tracking, completely eliminated ADI attacks but severely hampered agent functionality, reducing task completion to about a third. Stripping punctuation also reduced attacks but broke the agents' ability to parse legitimate structured data like links and file paths.
While these are currently proof-of-concept attacks with no public reports of in-the-wild exploitation, the researchers have responsibly disclosed their findings to affected vendors. **OpenAI**, **Google**, and **Anthropic** have acknowledged the reports. **Nanobrowser** had not yet responded at the time of publication.
For ADI to succeed, an attacker needs to inject content into data processed by the agent (common in web and GitHub agents) and understand the agent's internal data format. While cloud service formats are harder to recover, the researchers, including Woohyuk Choi, demonstrated that multi-turn jailbreaks could reveal these server-side formats across **GPT**, **Claude**, and **Gemini**. A shortcut exists: larger and smaller models from the same company often share formats, allowing attackers to target easier-to-break smaller models.
### A Broader Context of Trust Issues
This vulnerability echoes previous discoveries concerning AI agent trust. In June 2025, **Aim Security** disclosed **EchoLeak** (**CVE-2025-32711**), a flaw in **Microsoft 365 Copilot** that allowed an email to trigger the leakage of internal files without user interaction. While patched, EchoLeak represented an early instance of prompt injection leading to data exfiltration. ADI takes this concept a step further by manipulating the underlying data rather than direct commands.
Similarly, in May 2025, **Invariant Labs** highlighted a design flaw where a public GitHub issue could steer an agent into reading and leaking private repository data. The ADI research provides a benchmark and attack code to assist vendors and defenders in testing and developing robust countermeasures against this evolving threat.