AI/ ai · security · research · prompt-injection

How Poisoned Web Pages Can Hijack AI Research Agents

A new attack method called FORGE shows how adversarial documents can silently corrupt the reports produced by deep research AI agents.

AI research agents that browse the web and synthesize long reports have a new documented attack vector.

Researchers introduced FORGE - Fabricated Orchestrated Reasoning chain for aGent Exploitation - a two-level attack targeting so-called deep research agents. These systems break a broad question into subtasks, pull in web evidence across multiple retrieval rounds, and stitch it all into a report. FORGE exploits that workflow by planting adversarial documents in the retrieval pool. One injected page steers the agent's follow-up questions; coordinated across multiple pages, the attack can skew the final report at scale. In tests across 25 queries, five injected documents pushed a metric the researchers call PRISM - which scores how deeply poisoned claims embed in the output - to 26.4%.

The troubling wrinkle is what the researchers call "depth migration": poisoned content doesn't stay in obvious, easy-to-spot framing. As the agent synthesizes recursively, the contamination sinks into factual premises - the kind of background assumptions a reader is least likely to question. That makes FORGE qualitatively different from simpler prompt-injection attacks, where the malicious instruction is usually visible if you look for it.

The paper also proposes a lightweight defense - Root Query Anchoring - that ties each recursive follow-up back to the original question, cutting the PRISM score roughly in half in tests. That's a meaningful reduction, but 18.3% residual contamination is not nothing, and real-world retrieval pools are considerably messier than a controlled 25-query benchmark.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →