Hijacking Agent Memory: Stealthy Trojan Attacks Through Conversational Interaction

Researchers present MemPoison, a novel attack that exploits vulnerabilities in large language model agents by injecting malicious information into their long-term memory through dialogue interactions. The attack achieves up to 95% success rates by using semantic bridges, entity masquerading, and embedding optimization to bypass modern selective memory mechanisms, revealing critical security gaps in autonomous AI systems.

The emergence of MemPoison represents a critical vulnerability class in an increasingly important category of AI systems. As LLM agents grow more sophisticated with persistent memory capabilities, they become attractive targets for adversarial manipulation. The research demonstrates that previous security assumptions about memory systems are fundamentally flawed—attackers need not directly corrupt storage but can exploit the selective extraction and rewriting mechanisms that modern systems rely upon. This distinction matters because it shows vulnerabilities exist in the architectural design itself rather than implementation details.

The technical sophistication of MemPoison reflects broader trends in adversarial machine learning research. By using semantic relational bridges to bind triggers with payloads and entity masquerading to resist automated rewriting, the attack exploits how embedding spaces organize information. The research reveals that anisotropy in embedding space and attention pattern manipulation create exploitable pathways for persistent backdoors.

For the AI industry, this research signals that autonomous agents deployed in production environments face material security risks that current defenses cannot fully address. Organizations building agent-based systems for financial services, customer support, or data analysis must contend with the possibility of undetectable memory poisoning through normal user interactions. The finding that multiple defense strategies have fundamental limitations suggests the industry cannot rely on patching but must rethink memory architecture fundamentally.

Looking forward, memory safety in LLM agents will likely become a critical focus for both researchers and practitioners. Developers should anticipate that regulatory bodies may eventually require proof of memory integrity in high-stakes applications, similar to requirements emerging around model transparency and bias mitigation.

• →MemPoison bypasses selective memory mechanisms in LLM agents by binding triggers and payloads through semantic relationships, achieving 95% attack success rates.
• →Entity masquerading techniques allow attackers to create triggers that resist automated memory rewriting by mimicking named entities.
• →The attack exploits embedding-space anisotropy and attention pattern shifts, revealing architectural vulnerabilities rather than mere implementation flaws.
• →Existing defense strategies demonstrate fundamental limitations in mitigating memory poisoning attacks.
• →Memory safety in autonomous agents presents emerging security and regulatory challenges for enterprise AI deployments.