MemGhost stealth memory injection against OpenClaw personal agents
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers demonstrated MemGhost, a one-email prompt-injection technique that can plant a persistent false memory in OpenClaw-style personal agents, letting an attacker steer later-session answers without visible consent. The lab results show the attack can survive into future sessions and remain hidden, raising the risk of durable context poisoning in agents that read inboxes and write their own memory files.
Related Happenings
OpenClaw message-object prompt injection patched in 2026.4.23 security flaw
Vulnerability
H score15
First: 11.06.2026 20:46
Last: 11.06.2026 20:46
Sources 1
About this happening:
**OpenClaw** has a patched **message-object prompt injection flaw** that let hidden instructions inside **shared contacts, vCards, and location pins** reach the LLM as trusted pro...
OpenClaw message-object prompt injection patched in 2026.4.23 security flaw
VulnerabilityAbout this happening: **OpenClaw** has a patched **message-object prompt injection flaw** that let hidden instructions inside **shared contacts, vCards, and location pins** reach the LLM as trusted pro...
SHub Reaper macOS infostealer variant
Malware Activity
H score23
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
DEEP#DOOR Python backdoor framework
Malware Activity
H score28
First: 30.04.2026 15:36
Last: 30.04.2026 15:36
Sources 1
About this happening:
**DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...
DEEP#DOOR Python backdoor framework
Malware ActivityAbout this happening: **DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...
Indirect prompt injection payloads against AI agents reveal fraud, deletion, and secret-theft paths
Technical Analysis
H score20
First: 23.04.2026 12:30
Last: 23.04.2026 12:30
Sources 1
About this happening:
**10** new **indirect prompt injection (IPI)** payloads show how web content poisoning can coerce **AI agents** into **financial fraud**, **data destruction**, and **API key theft...
Indirect prompt injection payloads against AI agents reveal fraud, deletion, and secret-theft paths
Technical AnalysisAbout this happening: **10** new **indirect prompt injection (IPI)** payloads show how web content poisoning can coerce **AI agents** into **financial fraud**, **data destruction**, and **API key theft...
OpenClaw hardening guidance (CNCERT)
Advisory/Mitigation
H score24
First: 14.03.2026 18:17
Last: 14.03.2026 18:17
Sources 1
About this happening:
China's **CNCERT** issued mitigation guidance for **OpenClaw**, warning that weak defaults and privileged access could let attackers seize endpoints, leak data, or trigger destruc...
OpenClaw hardening guidance (CNCERT)
Advisory/MitigationAbout this happening: China's **CNCERT** issued mitigation guidance for **OpenClaw**, warning that weak defaults and privileged access could let attackers seize endpoints, leak data, or trigger destruc...
Timeline
-
13.07.2026 16:49 2 articles · 9h ago
MemGhost lands on arXiv with one-email persistent memory poisoning attack
Initial DisclosureMemGhost, described as stealth memory injection, shows how one email can make an OpenClaw-style agent save a false persistent memory, hide the write, and later steer answers in fresh sessions. The paper landed on arXiv on 6 July 2026 and reported 56 fresh test cases, 87.5% success against OpenClaw on GPT-5.4, and 71.4% against a Claude Code SDK agent on Sonnet 4.6.
Show sources
- New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email — thehackernews.com — 13.07.2026 16:49
- New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email — thehackernews.com — 13.07.2026 16:49
-
13.07.2026 16:49 1 articles · 9h ago
OpenClaw weighs provenance, audit logs, and confirmation prompts for memory writes
Mitigation Patch UpdateOpenClaw said it is weighing memory-write controls for external content, including provenance, audit logs, and confirmation prompts, and its guidance recommends routing untrusted email through a separate reader agent stripped of memory, file, and shell tools before passing only a summary to the main agent. The researchers argue the durable-memory fix should live inside the agent through source tagging, user confirmation before memory writes, and logging every write.
Show sources
- New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email — thehackernews.com — 13.07.2026 16:49