Agent data injection proof-of-concept attacks expose trusted-data flaws in AI agents
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers disclosed agent data injection (ADI), a new attack class that can make shipping AI agents misclick, run attacker commands, and trust fake history across web and coding tools. The technique abuses trusted data fields such as sender names, button IDs, and prior tool results instead of smuggling direct instructions, which weakens defenses built for classic prompt injection. In tests against Claude in Chrome, Google's Antigravity, Nanobrowser, Claude Code, OpenAI's Codex, and Google's Gemini CLI, planted reviews, forged comments, and fake tool records changed agent behavior. The findings raise immediate risk for agents that ingest attacker-editable web content or GitHub text, especially where approval prompts hide the specific action being taken.
Related Happenings
Prompt-injection proof-of-concept enables silent RCE in Claude Code and Codex
Technical Analysis
H score28
First: 10.07.2026 16:45
Last: 10.07.2026 16:45
Sources 1
About this happening:
Researchers demonstrated a proof-of-concept exploit that can force remote code execution in Anthropic’s Claude Code and OpenAI’s Codex, exposing a trust-boundary f...
Prompt-injection proof-of-concept enables silent RCE in Claude Code and Codex
Technical AnalysisAbout this happening: Researchers demonstrated a proof-of-concept exploit that can force remote code execution in Anthropic’s Claude Code and OpenAI’s Codex, exposing a trust-boundary f...
HalluSquatting indirect prompt-injection attack on AI coding assistants
Technical Analysis
H score3
First: 08.07.2026 18:07
Last: 08.07.2026 18:07
Sources 1
About this happening:
Researchers demonstrated HalluSquatting, an indirect prompt-injection technique that can push AI coding assistants to fetch attacker-controlled resources and execute code....
HalluSquatting indirect prompt-injection attack on AI coding assistants
Technical AnalysisAbout this happening: Researchers demonstrated HalluSquatting, an indirect prompt-injection technique that can push AI coding assistants to fetch attacker-controlled resources and execute code....
Indirect prompt-injection web campaigns targeting AI agents
Campaign
H score37
First: 06.07.2026 18:00
Last: 06.07.2026 18:00
Sources 1
About this happening:
Two real-world campaigns are using indirect prompt injection and SEO poisoning to steer AI agents into fraudulent actions and false legitimacy judgments. The lures...
Indirect prompt-injection web campaigns targeting AI agents
CampaignAbout this happening: Two real-world campaigns are using indirect prompt injection and SEO poisoning to steer AI agents into fraudulent actions and false legitimacy judgments. The lures...
SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware
Technical Analysis
H score22
First: 06.07.2026 09:33
Last: 06.07.2026 09:33
Sources 1
About this happening:
SKILLCLOAK shows that malicious AI coding-agent skills can be rewritten to evade static scanners while still executing, exposing credentials, source code, and term...
SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware
Technical AnalysisAbout this happening: SKILLCLOAK shows that malicious AI coding-agent skills can be rewritten to evade static scanners while still executing, exposing credentials, source code, and term...
Sentry agentjacking analysis shows malicious error events can trigger AI coding agents
Technical Analysis
H score38
First: 11.06.2026 12:15
Last: 11.06.2026 12:15
Sources 1
About this happening:
Researchers described Agentjacking as a new attack against AI coding agents that abuses Sentry DSNs and MCP to inject fake error data, causing agents like Claude...
Sentry agentjacking analysis shows malicious error events can trigger AI coding agents
Technical AnalysisAbout this happening: Researchers described Agentjacking as a new attack against AI coding agents that abuses Sentry DSNs and MCP to inject fake error data, causing agents like Claude...
Timeline
-
16.07.2026 14:32 1 articles · 2h ago
Researchers define agent data injection as a trusted-data attack on AI agents
Initial DisclosureResearchers from Seoul National University, the University of Illinois Urbana-Champaign, and Largosoft introduced agent data injection (ADI) in a July 6 paper, describing a class of attacks that corrupt trusted data an AI agent relies on instead of smuggling direct instructions. The team reported the findings to affected vendors before publication, and OpenAI, Google, and Anthropic acknowledged the reports.
Show sources
- New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands — thehackernews.com — 16.07.2026 14:32
-
16.07.2026 14:32 2 articles · 2h ago
Planted reviews and forged GitHub comments steer AI agents into unsafe actions
Technical Analysis UpdateOn web agents such as Claude in Chrome, Google's Antigravity, and Nanobrowser, a planted product review reused a real button ID so the agent meant to click "Read More" and clicked "Buy Now" instead. On coding assistants such as Claude Code, OpenAI's Codex, and Google's Gemini CLI, a forged GitHub comment faked a maintainer's author line and could make the assistant run an attacker's command after approval. The same technique proved effective against OpenAI's GPT-5.2 and GPT-5-mini, Anthropic's Claude Opus 4.5 and Sonnet 4.5, and Google's Gemini 3 Pro and Flash.
Show sources
- New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands — thehackernews.com — 16.07.2026 14:32
- New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands — thehackernews.com — 16.07.2026 14:32
-
16.07.2026 14:32 1 articles · 2h ago
ChatGPT's Atlas browser resists a click attack with random element IDs
Mitigation Patch UpdateChatGPT's Atlas browser resisted the click attack because it tags each page element with a random, unguessable ID instead of a simple counter, and the researchers found that random tags roughly halved success in testing. Against the purpose-built agent defenses they evaluated, classic prompt-injection style order smuggling was almost entirely blocked, while ADI still succeeded up to 50% of the time.
Show sources
- New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands — thehackernews.com — 16.07.2026 14:32