Published on July 16, 2026
New Agent Data Injection (ADI) Attack Can Manipulate AI Agents into Executing Unauthorized Actions
Severity
Medium
Detail
Security researchers have disclosed a new attack technique known as Agent Data Injection (ADI) that can manipulate AI agents into performing unintended actions by corrupting trusted data rather than injecting malicious instructions. The research was published by researchers from Seoul National University, the University of Illinois Urbana-Champaign, and Largosoft.
Unlike traditional prompt injection attacks, which attempt to insert malicious instructions into user-controlled content, ADI targets the trusted metadata that AI agents rely on during task execution, such as email sender names, webpage element identifiers, button IDs, tool execution records, and GitHub author information. By altering these trusted data fields, attackers can influence an AI agent’s decisions while allowing it to continue performing its intended task.
Researchers successfully demonstrated proof-of-concept attacks against multiple AI-powered tools, including web browsing agents, coding assistants, and software development workflows. The attacks affected several leading AI models, including OpenAI GPT-5.2 and GPT-5-mini, Anthropic Claude Opus 4.5 and Sonnet 4.5, and Google Gemini 3 Pro and Flash.
Successful exploitation may result in unauthorized purchases, execution of attacker-controlled commands on developer systems, acceptance of malicious code, account compromise, and supply chain attacks. Although no real-world exploitation has been reported, the affected vendors have acknowledged the findings.
How?
The attack begins when an AI agent processes content that includes attacker-controlled data from sources such as webpages, emails, GitHub issues, pull requests, or comments.
Attackers exploit the way large language models interpret structured data by injecting specially crafted punctuation or formatting characters into trusted metadata fields. This causes the AI model to incorrectly interpret attacker-controlled information as legitimate system-generated data.
Common attack scenarios include:
- Embedding malicious content in product reviews to manipulate web agents into clicking unintended webpage elements, such as selecting “Buy Now” instead of “Read More.”
- Forging GitHub comment metadata to impersonate trusted project maintainers, convincing coding assistants to execute attacker-controlled commands.
- Creating fake tool execution records or security check results that cause AI agents to incorrectly determine malicious code is safe for review or merge.
- Exploiting predictable webpage element identifiers or trusted metadata fields to redirect AI agent actions.
Unlike traditional prompt injection attacks, ADI does not attempt to change the agent’s instructions. Instead, it manipulates the trusted information used during decision-making, allowing malicious actions to appear legitimate.
Recommendations
Organizations and users utilizing AI agents should:
- Exercise caution when AI agents process content originating from untrusted or publicly editable sources.
- Verify AI-generated actions, especially before approving code execution, purchases, or code merges.
- Avoid relying solely on AI reasoning when approving security-sensitive operations.
- Implement randomized or unpredictable identifiers for trusted system metadata where possible.
- Apply provenance tracking to distinguish trusted system-generated data from externally supplied content.
- Keep AI platforms and development tools updated with the latest security patches and vendor mitigations.
- Monitor vendor advisories for security updates addressing Agent Data Injection attacks.
- Validate outputs generated by AI agents before performing sensitive or high-impact actions.
Source
https://thehackernews.com/2026/07/new-agent-data-injection-attack-can.html
