Security/ ai · security · agents · prompt-injection

AI Agents Have a New Attack Vector Researchers Are Calling ADI

A new class of injection attack tricks AI agents into treating malicious data as trusted, bypassing defenses built for older prompt injection methods.

Researchers have identified a new category of attack against AI agents that current defenses largely ignore.

The technique, called agent data injection (ADI), works differently from the better-known instruction injection attacks that most AI security mitigations target. Instead of disguising malicious content as a command, ADI disguises it as trusted data — things like resource identifiers, data origin labels, or tool call formats that an agent uses to understand its own context. The agent then acts on attacker-controlled data without realizing anything is wrong. The researchers tested ADI against real-world agents and found critical vulnerabilities across multiple products.

The practical results are serious. On web agents — including Claude in Chrome, Antigravity, and Nanobrowser — ADI enabled arbitrary click attacks. On coding agents including Claude Code, Codex, and Gemini CLI, the researchers achieved remote code execution and supply-chain attacks. Those are not theoretical worst cases; they are the kinds of outcomes that end incident response calls at 2 a.m.

What makes ADI particularly awkward for the industry is that it exposes a gap existing defenses were never designed to close. The core problem, as the researchers frame it, is that current agents do not isolate trusted data from untrusted data — a separation that has been a baseline security principle in other computing contexts for decades. The AI security conversation has focused heavily on prompt injection; ADI suggests that framing was always too narrow.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →