🟠 High | Source: The Hacker News
A newly documented attack technique called ‘Agent Data Injection’ allows adversaries to manipulate AI agents by poisoning the data sources they consume — such as product reviews or code repository comments — causing the agent to execute attacker-controlled actions rather than the user’s intended task. Unlike prompt injection, this attack does not directly target the agent’s instructions; it corrupts the environmental data the agent trusts, making detection significantly harder. The technique has broad implications for any agentic AI workflow that reads from untrusted external sources, including web browsing, code assistance, and automated purchasing.
Security Architect’s Take: Treat all external data consumed by AI agents as untrusted input — enforce strict output validation and sandboxing around any agent capable of taking real-world actions (e.g. browser automation, shell access, API calls). Architect agent pipelines with least-privilege principles: agents should require explicit human-in-the-loop confirmation before executing irreversible actions such as purchases, code execution, or credential use.
Original advisory: New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands