A novel class of cyberattacks, dubbed Agent Data Injection (ADI), has emerged, capable of manipulating artificial intelligence agents by subtly corrupting the data they trust. Researchers from Seoul National University, the University of Illinois Urbana-Champaign, and Largosoft unveiled this threat in a paper released on July 6, illustrating how attackers can trick AI models into performing unintended actions without hijacking their core tasks. This new attack vector bypasses traditional defenses designed to thwart prompt injection by impersonating trusted data elements rather than embedding malicious instructions directly.
ADI attacks exploit how AI agents process information, distinguishing between direct commands and underlying data. While older “instruction injection” attacks buried hidden orders within data, ADI operates a layer deeper. It targets the implicit trust agents place in the origin and format of data, such as a sender’s name or a button’s identifier. By falsifying these small, seemingly innocuous facts, attackers can subtly steer AI behavior, leading to actions like making unauthorized purchases or executing malicious code.
Agent Data Injection: A New Frontier in AI Security
The researchers identified that modern AI agents consume information in two primary forms: instructions, which are explicit directives, and data, which includes everything the agent encounters during its operation. Contemporary defenses are adept at identifying and blocking direct instructions attempting to hijack an agent’s programmed task, often referred to as instruction injection. However, ADI circumvents these defenses by focusing on the structural integrity of trusted data inputs.
This means that even when an AI agent is instructed to perform a legitimate task, such as summarizing product reviews or applying a code fix, ADI can manipulate the context. For instance, an AI tasked with summarizing reviews might be led to click “Buy Now” instead of “Read More” due to a manipulated review’s data structure. Similarly, a coding assistant might be tricked into running unknown commands on a developer’s machine by a forged commit message disguised as a trusted maintainer’s input.
Probabilistic Delimiter Injection: The Underpinning Mechanism
At the core of ADI lies a technique the researchers term “probabilistic delimiter injection.” AI agents use punctuation and special characters—like quotes, braces, or line breaks—to delineate different pieces of data, distinguishing between reliable inputs and untrusted content. Unlike traditional software that adheres to strict parsing rules, large language models interpret these delimiters probabilistically, relying on patterns and educated guesses.
Attackers can exploit this by embedding characters that mimic these delimiters within fields that should contain simple data. The AI model, misinterpreting these characters as genuine structural elements, can perceive additional data fields, buttons, or command outputs that do not actually exist. Remarkably, even characters that would be treated as plain text by a strict parser, such as an escaped quote or a dollar sign, can fool these probabilistic interpretations, creating a false sense of structure within the AI’s perception.
This method is particularly insidious because the fake delimiters do not need to be perfectly formed. The researchers demonstrated that even slightly malformed characters, which would be disregarded by traditional systems, can be misinterpreted by AI models as valid structural markers. This allows attackers to create convincing illusions of data structures that lead the AI astray.
Real-World Exploitations Demonstrated
The research team successfully demonstrated three proof-of-concept attacks on widely used AI tools, highlighting the practical implications of ADI. These attacks targeted web agents, coding assistants, and code review processes.
On web agents, such as those integrated into browsers like Claude in Chrome, Google’s Antigravity, and Nanobrowser, a planted product review could be manipulated to include the identifier of a critical button. When an agent intended to interact with a “Read More” button, it was instead tricked into activating a “Buy Now” button by its reused ID, potentially leading to unauthorized purchases. The researchers noted that in tools numbering page elements sequentially, attackers could pre-emptively determine these IDs.
Coding assistants, including Claude Code, OpenAI’s Codex, and Google’s Gemini CLI, were also vulnerable. A malicious comment on a GitHub thread could be crafted to appear as if it originated from a project maintainer. When the AI agent was instructed to apply a fix, it could be coerced into executing the attacker’s arbitrary commands on the developer’s machine, especially if the developer approved what seemed like a routine step based on the forged author line.
Furthermore, a malicious pull request could be engineered to falsify the completion record of a code review step. This fake, clean result would then be presented to the AI agent, leading it to believe the code was safe and approve its merge into the project. This could result in malicious code being incorporated into a codebase under the guise of a routine update.
Challenges in Detection and Mitigation
A significant challenge for defense lies in the AI’s own confirmation prompts. While tools like Claude in Chrome ask for user confirmation before clicking an element, the prompt often lacks specific details about which element or why. Similarly, coding assistants may display their reasoning, but this reasoning is built upon the corrupted facts introduced by ADI, making it appear logical and innocuous to a human observer.
The vulnerability spans across multiple major AI models. Testing revealed that OpenAI’s GPT-5.2 and GPT-5-mini, Anthropic’s Claude Opus 4.5 and Sonnet 4.5, and Google’s Gemini 3 Pro and Flash were all susceptible. Across these models, ADI achieved success rates between 31% and 43% on structured data and up to 100% on webpage data. Crucially, ADI showed significantly higher success rates (up to 50%) compared to classic instruction injection attacks (near zero) on defenses specifically built to counter the latter, indicating a gap in current security architectures.
However, not all agents were entirely vulnerable. ChatGPT’s Atlas browser, for instance, resisted the click-based attack by assigning random, unguessable IDs to page elements, preventing attackers from forging button identifiers. Introducing short, random tags to field names also reduced attack success rates by approximately half. More robust defenses, such as those tracking data provenance, completely blocked ADI but severely impacted the agents’ usability, reducing task completion to roughly a third.
The Path Forward for AI Security
The researchers plan to release their benchmark and attack code to aid vendors and defenders in testing their systems against ADI. While no public reports of ADI being used in the wild currently exist, the team has informed the affected vendors of their findings, with OpenAI, Google, and Anthropic acknowledging the reports.
Recovering the data format used by cloud-based AI services, a key element for successful ADI, proved feasible. By employing multi-turn “jailbreak” techniques, the researchers were able to extract format information from GPT, Claude, and Gemini models, even when direct code access or reverse-engineering was not possible. The tendency for larger and smaller models from the same company to share data formats offers a shortcut for attackers, as exploiting a less secure, smaller model can reveal secrets applicable to its more robust counterparts.
This new class of attack echoes previous security concerns in AI. EchoLeak, discovered in Microsoft 365 Copilot, demonstrated how crafted emails could lead to the leakage of internal files. Similarly, issues with GitHub’s handling of repository access have been exploited, allowing agents to read private repositories. ADI differs by focusing on the forged identity of data sources and the fabricated history of agent actions, rather than directly smuggling instructions.

