Back to news
security Priority 4/5 7/10/2026, 11:05:15 AM

Memory Poisoning Attack GhostWriter Exploits Long-Term Memory in LLM Agents

Memory Poisoning Attack GhostWriter Exploits Long-Term Memory in LLM Agents

The security research paper titled When Agents Remember Too Much: Memory Poisoning Attacks on Large Language Model Agents introduces a critical vulnerability in personal AI agents equipped with long-term memory subsystems. While long-term memory enables agents to execute complex, multi-step workflows like email management and code execution without massive context windows, it also exposes them to adversarial manipulation. This vulnerability is especially severe for personal assistant agents operating at the intersection of conversational tasks and action planning. The newly identified attack vector, named GhostWriter, operates in two distinct phases to compromise tool-using agents. In the injection phase, an adversary delivers a hidden malicious payload to the agent through untrusted data sources. During the activation phase, the poisoned memory is retrieved during normal operation, forcing the agent to execute unauthorized actions with elevated tool privileges. Evaluation results show that GhostWriter achieves a near-universal injection rate of approximately 98% and an average activation rate of 60% against state-of-the-art agent architectures. The high success rate is attributed to a fundamental lack of security-focused memory governance in current implementations, which treat all ingested context with equal trust. To counter this threat, the researchers developed Agentic Memory Sentry (AM-Sentry). This mitigation framework leverages a dual-layered defense consisting of a memory-saving policy to restrict unauthorized ingestion and a memory-retrieval screen to intercept malicious payloads before they are executed by the agent's reasoning engine.

Related tools

Recommended tools for this topic

These picks prioritize high-intent tools relevant to this topic. Some links may include partner or affiliate tracking.

#arxiv#research#security#agent#data

Comparison

AspectBefore / AlternativeAfter / This
Memory IngestionUnrestricted saving of raw, untrusted external inputs directly into long-term memory storesEnforcement of a memory-saving policy that filters and validates incoming data before storage
Retrieval SecurityDirect injection of retrieved memory payloads into the LLM context window without screeningRetrieval screening via AM-Sentry to detect and quarantine suspicious payloads before execution
Tool IsolationAgents execute actions on remote repositories or calendars using unverified memory-based triggersGovernance-aware execution limits that prevent actions derived from unverified memory sources

Source: arXiv

This page summarizes the original source. Check the source for full details.

Related