Memory Poisoning Attack GhostWriter Exploits Long-Term Memory in LLM Agents

The security research paper titled When Agents Remember Too Much: Memory Poisoning Attacks on Large Language Model Agents introduces a critical vulnerability in personal AI agents equipped with long-term memory subsystems. While long-term memory enables agents to execute complex, multi-step workflows like email management and code execution without massive context windows, it also exposes them to adversarial manipulation. This vulnerability is especially severe for personal assistant agents operating at the intersection of conversational tasks and action planning. The newly identified attack vector, named GhostWriter, operates in two distinct phases to compromise tool-using agents. In the injection phase, an adversary delivers a hidden malicious payload to the agent through untrusted data sources. During the activation phase, the poisoned memory is retrieved during normal operation, forcing the agent to execute unauthorized actions with elevated tool privileges. Evaluation results show that GhostWriter achieves a near-universal injection rate of approximately 98% and an average activation rate of 60% against state-of-the-art agent architectures. The high success rate is attributed to a fundamental lack of security-focused memory governance in current implementations, which treat all ingested context with equal trust. To counter this threat, the researchers developed Agentic Memory Sentry (AM-Sentry). This mitigation framework leverages a dual-layered defense consisting of a memory-saving policy to restrict unauthorized ingestion and a memory-retrieval screen to intercept malicious payloads before they are executed by the agent's reasoning engine.
Related tools
Recommended tools for this topic
These picks prioritize high-intent tools relevant to this topic. Some links may include partner or affiliate tracking.
A strong security and edge platform match across CDN, Zero Trust, and app protection.
View CloudflareA high-relevance security pick for identity, secret management, and team access control.
View 1PasswordStrong for identity, OIDC, and B2B auth readers evaluating implementation tradeoffs.
View Auth0Comparison
| Aspect | Before / Alternative | After / This |
|---|---|---|
| Memory Ingestion | Unrestricted saving of raw, untrusted external inputs directly into long-term memory stores | Enforcement of a memory-saving policy that filters and validates incoming data before storage |
| Retrieval Security | Direct injection of retrieved memory payloads into the LLM context window without screening | Retrieval screening via AM-Sentry to detect and quarantine suspicious payloads before execution |
| Tool Isolation | Agents execute actions on remote repositories or calendars using unverified memory-based triggers | Governance-aware execution limits that prevent actions derived from unverified memory sources |
Source: arXiv
This page summarizes the original source. Check the source for full details.


