New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands
A newly discovered technique called agent data injection (ADI) allows attackers to manipulate AI agents into performing unintended actions without altering their core tasks. By corrupting the factual data these systems rely on—such as sender names, button IDs, or tool execution logs—researchers demonstrated how an AI can be tricked into clicking 'Buy Now' instead of 'Read More', executing arbitrary code from GitHub comments, or merging malicious pull requests. The vulnerability affects widely used tools including Claude in Chrome, Google’s Antigravity, Nanobrowser, and OpenAI’s Codex. While no active exploitation has been reported yet, the researchers confirmed the issue with vendors like OpenAI, Google, and Anthropic. Defenses such as random ID tagging and source tracking were shown to reduce risk, but full protection remains challenging due to the nature of how language models interpret structured data.