Plant, Persist, Trigger: Sleeper Attack on Large Language Model Agents

Researchers have identified a new vulnerability in LLM-based agents called 'Sleeper Attacks,' where adversarial content persists dormant in agent state across multiple interactions before being activated by benign queries. The attack threatens real-world LLM deployments by evading single-interaction detection mechanisms, with testing showing vulnerabilities across seven major language models.

The discovery of Sleeper Attacks represents a meaningful evolution in adversarial threat modeling for deployed LLM systems. Unlike previous research focusing on immediate harmful responses to malicious inputs, this work demonstrates that adversaries can inject content that remains latent in agent memory, session context, or stored skills—then activate it through ordinary user interactions. This temporal dimension substantially complicates threat detection and mitigation strategies that typically monitor request-response cycles independently.

The research reflects growing complexity in AI safety as language models move from stateless chatbots toward persistent, multi-turn agents that maintain context and learn from interactions. Production systems increasingly rely on external data integration, tool use, and memory persistence—exactly the vectors this attack exploits. The benchmark construction (1,896 test instances across six harm categories and three agent state targets) provides rigorous evidence that popular open-source and commercial models all exhibit vulnerability, even those with relatively strong baseline defenses.

For developers and enterprises deploying LLM agents, this finding suggests current safety approaches are insufficient. Organizations must implement defense mechanisms spanning multiple interaction windows rather than treating each query as isolated. The research particularly impacts systems with persistent memory—customer service bots, autonomous agents managing workflows, or AI systems accessing MCP (Model Context Protocol) contexts.

Future work likely focuses on detection mechanisms for dormant adversarial content, state isolation techniques, and adversarial training that accounts for multi-turn attack scenarios. This research may accelerate development of certified defense mechanisms for stateful AI systems before widespread production deployment.

• →Sleeper Attacks exploit persistent agent state to bypass single-interaction security checks by activating dormant adversarial content through benign queries.
• →Testing across seven LLMs reveals vulnerability rates remain high even for models with strong baseline defenses, indicating fundamental architectural issues.
• →The attack targets three critical agent components: session context, memory systems, and reusable skills, making comprehensive mitigation complex.
• →Current production LLM agents lack adequate defenses for multi-turn adversarial scenarios, requiring new safety frameworks.
• →The 1,896-instance benchmark enables systematic evaluation of defenses across real-world harm categories and attack strategies.