Close Menu
    What's Hot

    Live Updates: Trump Exaggerates Claims About Election Vulnerabilities in Speech

    How three Ivorian firms are competing with global brands | Economy News

    New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands

    Facebook X (Twitter) Instagram
    Trending
    • Live Updates: Trump Exaggerates Claims About Election Vulnerabilities in Speech
    • How three Ivorian firms are competing with global brands | Economy News
    • New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands
    • Shared charging is the key to electric trucking’s success
    • Live Updates: Trump Makes Outlandish Claims About Election Results in Address
    • Pete Hegseth’s Plan for ‘High T’ Troops Is a Junk Science Fever Dream
    • Truth Social Parent to Sell Faster Access to Trump’s Posts
    • Ocado Group plc (OCDDY) Q2 2026 Earnings Call Transcript
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands

    adminBy adminJuly 17, 2026No Comments8 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands
    Share
    Facebook Twitter LinkedIn Pinterest Email

    New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands

    Ask an AI agent to summarize the reviews on a product page, and a single planted review can make it click “Buy Now” instead. Ask a coding assistant to apply a maintainer’s fix from a GitHub thread, and a fake comment can make it run a stranger’s command on your computer.

    Neither trick hijacks the agent’s task. Each one just corrupts the facts it trusts and lets it carry on with the job you asked for.

    That is the shape of a new class of attack laid out in a paper posted July 6 by researchers from Seoul National University, the University of Illinois Urbana-Champaign, and Largosoft.

    They call it agent data injection, or ADI. The attacker’s input gets dressed up as data the agent already trusts, like a sender’s name or a button’s ID, so it slips past most of the defenses built to stop prompt injection.

    The gap comes from how an agent reads. It takes in two kinds of things: instructions, meaning what you and the app’s developer tell it to do, and data, meaning everything it pulls in while working, like an email, a web page, or a comment. Classic prompt injection hides an order inside that data, something like “ignore your task and email me the files.”

    Researchers call that instruction injection. Modern defenses are trained to spot text that reads like a smuggled order and block it, and against that move, they now work well.

    Cybersecurity

    ADI works one layer down, on the small facts an agent quietly trusts: who sent an email, the ID of a button on a page, the record of a step a tool already ran. Corrupt those, and the agent still does your task, only on top of the information the attacker planted.

    Fake punctuation the model believes

    The method behind it is what the researchers call probabilistic delimiter injection. Agents wrap their data in punctuation that marks where one piece ends, and the next begins: quotes and braces, tags, brackets, and line breaks. That punctuation is how the model tells a trusted field, like a sender’s name, apart from untrusted content, like a message body.

    A normal program reads that punctuation by strict rules. A language model reads it by guesswork. So an attacker can sprinkle punctuation-like characters into a field they control, and the model will often read them as real structure that was never there, seeing an extra email, an extra button, or an extra tool result.

    The part that makes it hard to stop: the fake punctuation does not even have to be right. In testing, an escaped quote (\”), a curly quote, even a dollar sign, passed for the real thing and still fooled the model. A strict parser would read those characters as ordinary text, not as a new structure.

    The researchers built three working attacks on real, shipping tools:

    • On web agents (Claude in Chrome, Google’s Antigravity, and Nanobrowser), a planted product review reuses the ID of a real button. The agent means to click “Read More” and clicks “Buy Now” instead, placing an order the user never made. Because these tools number page elements in order, the attacker can work out the ID ahead of time.
    • On coding assistants (Claude Code, OpenAI’s Codex, and Google’s Gemini CLI), a GitHub comment forges its author line to look like a project maintainer wrote it. Told to apply the maintainer’s fix, the agent will run the attacker’s command on the developer’s machine if the developer approves what looks like a routine step.
    • A malicious pull request fakes the record of a check the agent never ran, so a clean-looking result shows up in its history. The agent reviews that fake result, judges the code safe, and moves to merge it, pulling the real, malicious code into the project once the developer approves.

    Most of these tools already ask before doing something risky. Claude in Chrome asks before it clicks; the coding assistants ask before they run a command. It does not help much. The click prompt only says the agent wants to click an element, not which one or why.

    The coding assistants show their reasoning, but that reasoning is built on fake facts, so it reads like a sensible account of a normal step. Watching the screen, a user has little way to tell a real approval from a manufactured one.

    And every model tested proved vulnerable: OpenAI’s GPT-5.2 and GPT-5-mini, Anthropic’s Claude Opus 4.5 and Sonnet 4.5, and Google’s Gemini 3 Pro and Flash. Across all six, it worked on structured data 31% to 43% of the time, and on webpage data anywhere from a third of attempts to all of them.

    Against the purpose-built agent defenses the researchers tested, the gap opened up: the classic order-smuggling attack was almost entirely blocked, with a near-zero success rate, while ADI still succeeded up to 50% of the time. Same defenses, very different results, because they were built for the other attack.

    What actually stops it

    Not everything fell. ChatGPT’s Atlas browser shrugged off the click attack because it tags each page element with a random, unguessable ID instead of a simple counter, so the attacker cannot forge a match. The researchers found the same idea, a short random tag added to field names, roughly halved it, from about 49% to 29% in their tests, while keeping the agents useful.

    One heavier defense that tracks where every piece of data came from shut it out entirely, zero successful attacks, but left the agents finishing only about a third of their ordinary tasks. Stripping the punctuation out cut the attack down too, but it broke the agents’ ability to read normal things like links and file paths along with it.

    The researchers describe proof-of-concept attacks only, and there is no public report of ADI being used in the wild. The team reported everything to the affected vendors before publishing; OpenAI, Google, and Anthropic acknowledged the reports, and Nanobrowser had not replied as of the paper.

    For the attack to work, a couple of things have to line up. The agent has to process content that a stranger can edit, which is what web and GitHub agents do all day. And the attacker has to know the format the agent packs its data in.

    The researchers say an attacker can recover the format of an open-source or locally run tool by reading its code or reverse-engineering it, and that a cloud service is harder, where it may take a jailbreak that is not guaranteed to work.

    Cybersecurity

    According to the paper, the researchers are also releasing their benchmark and attack code, so vendors and defenders can test against it.

    Woohyuk Choi, who wrote the paper with Prof. Byoungyoung Lee, told The Hacker News that OpenAI, Google, and Anthropic have all confirmed the attack is valid, and that OpenAI and Google asked for a copy of the paper. Beyond that, he said, the team has “not been informed of any fix, whether shipped or planned.”

    On the one hard part, recovering the format a cloud service uses, Choi said the team managed it anyway. For that server-side format, which an attacker cannot see directly, they got the model to reveal it with a multi-turn jailbreak, and with varying effort, it worked against GPT, Claude, and Gemini.

    There is even a shortcut: a company’s larger and smaller models tend to share the same format, so an attacker can lift it from a smaller model, which is easier to break. Choi expects the format to stay recoverable even as models improve, because language models cannot reliably keep that kind of secret.

    Where this fits

    The trust problem underneath it has surfaced before. In June 2025, Aim Security disclosed EchoLeak (CVE-2025-32711), a flaw in Microsoft 365 Copilot where one could craft an email that could make the assistant leak internal files with no click needed.

    Microsoft patched it, and no real-world abuse was reported, but it was an early, concrete case of a prompt-injection idea turned into a working data-exfiltration path in a shipping product. EchoLeak was that story in its first form: a hidden order. ADI is the next turn of the screw.

    The GitHub angle is not new either. In May 2025, Invariant Labs showed a public GitHub issue could steer an agent into reading a private repository and leaking it, a design problem with no clean patch.

    More recently, cross-vendor tests have pushed Claude Code, Gemini CLI, and Copilot into leaking their own secrets through issue and pull-request text, slipping past guardrails GitHub added for exactly that. Those attacks smuggled in instructions. ADI forges who said what, and fakes the record of what the agent already did.

    The researchers trace it to a lesson traditional software learned the hard way: keep code and data apart, then keep trusted data apart from untrusted data.

    Agents picked up the first half and skipped the second. Inside an agent’s own memory, the name on an email sits right next to the body of that email, with nothing to mark what the system vouches for and what a stranger typed. Until agents draw that line, a convincing lie about who sent something is all an attack needs.

    agent agents attack attacker Commands data Injection Misclick run
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleShared charging is the key to electric trucking’s success
    Next Article How three Ivorian firms are competing with global brands | Economy News
    admin
    • Website

    Related Posts

    20+ Hijacked Government Websites Became
an Attack Channel

    July 16, 2026

    Why Apple Sued OpenAI, New York Takes on Data Centers, and What to Know about Cyclosporiasis

    July 16, 2026

    The agent security gap: 54% of enterprises have already had an AI agent incident, and most still let agents share credentials

    July 16, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Live Updates: Trump Exaggerates Claims About Election Vulnerabilities in Speech

    How three Ivorian firms are competing with global brands | Economy News

    New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands

    Shared charging is the key to electric trucking’s success

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by