Close Menu
    What's Hot

    Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found

    Democratic Senate Candidate in South Carolina Awaits Lindsey Graham’s Successor

    Lindsey Graham’s sister, Darline, will serve out his Senate term

    Facebook X (Twitter) Instagram
    Trending
    • Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found
    • Democratic Senate Candidate in South Carolina Awaits Lindsey Graham’s Successor
    • Lindsey Graham’s sister, Darline, will serve out his Senate term
    • Ukraine Strikes Take Economic Toll on Russian Energy
    • Hamas Forces Interfered With Aid Distribution, U.N. Says
    • The Problem With VAR at the 2026 World Cup Isn’t the Technology—It’s Who Interprets It
    • Chipotle’s COO looks for four key traits when promoting leaders
    • Trump Administration Announces New Attack on the International Criminal Court
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email

    adminBy adminJuly 13, 2026No Comments8 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email

    Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false “fact” about the user, hide the change, and quietly steer its answers in later sessions.

    When it works, the person reads an ordinary-looking reply and never learns their assistant was tampered with.

    The researchers named the attack stealth memory injection and built a tool that writes the emails automatically. The paper, “When Claws Remember but Do Not Tell,” landed on arXiv on 6 July 2026.

    First, what these assistants do

    A personal agent is an AI assistant that sticks around. Instead of forgetting everything when a chat ends, it keeps notes about you in files: your preferences, your contacts, and what you asked it to do. It reads those notes at the start of every new session, which is why it feels like it knows you.

    Many of these agents can also act for you, reading your email, checking your calendar, and running small jobs on a schedule while you are away.

    OpenClaw, the open-source agent used as the study’s primary target, keeps this state in plain text files: some hold its standing instructions (AGENTS.md), some hold what it has learned about you (MEMORY.md). It pulls the core ones into the model’s context at the start of every session.

    Those notes are the whole point of the product. They are also the target.

    The one-email attack

    The attacker does not need your password or your account. They send an email to someone whose agent is set up to check their inbox, which, for these assistants, is a routine job. Buried in that email is text aimed at the assistant, not you.

    If the agent’s email skill takes the bait, three things happen in a row. The agent uses its own file tools to write the attacker’s false note into its persistent memory. Its visible reply says nothing about having done so. And later, in a fresh conversation, that false note changes what it tells you or does for you.

    Cybersecurity

    In one of the study’s test cases, the planted lie was that the user’s Zelle daily sending limit had been raised to $10,000.

    You do not catch the change for a few reasons. The assistant hides its behind-the-scenes steps by design, so the moment it edits a file never shows up in the chat. Few users ever open the raw memory files to read them. And when the agent runs on a schedule in the background, it often sends no message at all, so there is nothing to notice.

    To make the poison stick, the tool aims it at the core files that load every session, so a single write is loaded into every later session instead of waiting to be pulled from a separate memory store.

    The attack is generated by a tool the researchers call MemGhost. Its makers trained an attacker model offline against a shadow copy of a personal agent, rewarding emails that got the memory saved while keeping the reply quiet. At attack time, it writes the finished email in one shot, with no back-and-forth with the victim.

    Across 56 fresh test cases, MemGhost pulled off the full attack, planting a false memory, hiding it, then swaying the agent’s answers in a later session. It worked in 87.5% of background-mode runs against OpenClaw on GPT-5.4, and 71.4% against a Claude Code SDK agent on Sonnet 4.6.

    These were isolated benchmark runs, and they begin only after the email has already reached an inbox that the agent reads, so nothing here tests whether a real payload clears spam filtering or sender authentication first.

    Success was generally lower in foreground-mode tests, where the user can see the reply. In background mode, it stayed above 80% on each of two other agent frameworks and on a vector-based memory store in place of the plain files. The team also built WhisperBench, a 108-case benchmark spanning risks from bad medical advice to money loss to security sabotage.

    Overview of the WhisperBench framework

    Crude versions of the trick mostly fail. A blunt “save this quietly and say nothing” was caught or ignored by the strongest models almost every time; the trained generator is what pushed the numbers up. It also slipped past the defenses meant to stop this kind of attack.

    An input filter built to catch poisoned emails missed MemGhost’s message more than nine times in ten, and a model specially hardened to ignore instructions that arrive by email still followed the planted one about half the time. Even when the owner was made to ask outright, “tell me what you checked and what you did,” the attack stayed hidden about a quarter of the time on one model.

    There is no quick patch to wait for. OpenClaw’s own security policy treats prompt injection on its own as out of scope for a fix, unless it also crosses an authorization, tool-policy, approval, or sandbox boundary. MemGhost crosses none of those, since it works through the agent’s own memory-write tool, and researchers keep demonstrating exactly this kind of injection against the framework.

    The study’s authors argue the real fix has to live inside the agent: tagging where a piece of information came from, asking the user before anything reaches durable memory, and logging every write. Until those lands, the exposed setup is any agent that both reads untrusted mail and can write its own memory without asking.

    The blunt fix is to keep those two jobs apart. Failing that, limit what an email-triggered run can change, and check the memory files after anything suspicious arrives.

    OpenClaw confirmed that position to The Hacker News and pushed back on how the paper set up its agent. Its security guidance tells operators to route untrusted email through a separate reader agent stripped of memory, file, and shell tools, passing only a summary to the main agent, which the paper did not test.

    Cybersecurity

    It also argues model tier matters: the OpenClaw runs used GPT-5.4, a current frontier model, but the authors skipped Claude Opus 4.6 on cost, and OpenClaw pointed to HackMyClaw, a public challenge where thousands of injection emails failed to pry a secret from an Opus 4.6 agent. That test targeted data theft, not memory poisoning, so it does not directly answer the paper.

    OpenClaw said it is weighing memory-write controls for external content, including provenance, audit logs, and confirmation prompts, in the same direction the paper recommends. The Hacker News has also reached out to the paper’s authors and will update this story with any response.

    The manual version came first

    In 2024, researcher Johann Rehberger showed the same move by hand against ChatGPT, planting instructions in its long-term memory through poisoned web content so it would keep leaking a user’s data across future chats. He called it SpAIware. OpenAI closed the data-leak path, but the ability to write memory from untrusted content stayed.

    A year later, it reached a shipping product. EchoLeak (CVE-2025-32711), disclosed by Aim Security in June 2025, used one hidden-text email to make Microsoft 365 Copilot hand over internal company data when the user later asked it a normal question. Microsoft rated it critical and patched it, and no real-world abuse was reported.

    A later case study laid out how it slipped past Copilot’s filters. Both showed that the content an AI reads can carry commands, delivered by an email anyone can send.

    What MemGhost adds is persistence: Rehberger’s version had to be planted by hand, and EchoLeak leaked data only in the moment it was asked, but here an automated payload turns one email into a false memory that stays put and steers sessions long after the message is gone.

    This is a lab result, not a break-in in progress. The researchers ran everything in sealed test environments with fake inboxes and fake users, and the paper documents lab testing only, not use against real people; they say they plan to disclose their findings, attack patterns, and the benchmark to the makers of the affected agents and models.

    Stealth is held in the study partly because capable agents are built to keep their tool activity out of the chat. The one model that gave itself away did so by printing its intermediate steps in the reply, and the researchers expect detection to get harder as agents get better at working quietly.

    The real problem is plainer: a message from outside became a durable, trusted context inside the agent, with no visible moment where anyone approved it.

    agents attack Email False MemGhost memories persistent Plants
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleOpinion | The Tears, the Songs and the Memories
    Next Article France vs Spain: World Cup semi-final preview – Lamine Yamal and Rodri hold keys to stopping Kylian Mbappe’s Les Bleus storming to final | Football News
    admin
    • Website

    Related Posts

    Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found

    July 13, 2026

    Trump Administration Announces New Attack on the International Criminal Court

    July 13, 2026

    CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks

    July 13, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found

    Democratic Senate Candidate in South Carolina Awaits Lindsey Graham’s Successor

    Lindsey Graham’s sister, Darline, will serve out his Senate term

    Ukraine Strikes Take Economic Toll on Russian Energy

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by