AI research agents that browse the web and synthesize long reports have a new documented attack vector.
Researchers introduced FORGE - Fabricated Orchestrated Reasoning chain for aGent Exploitation - a two-level attack targeting so-called deep research agents. These systems break a broad question into subtasks, pull in web evidence across multiple retrieval rounds, and stitch it all into a report. FORGE exploits that workflow by planting adversarial documents in the retrieval pool. One injected page steers the agent's follow-up questions; coordinated across multiple pages, the attack can skew the final report at scale. In tests across 25 queries, five injected documents pushed a metric the researchers call PRISM - which scores how deeply poisoned claims embed in the output - to 26.4%.
The troubling wrinkle is what the researchers call "depth migration": poisoned content doesn't stay in obvious, easy-to-spot framing. As the agent synthesizes recursively, the contamination sinks into factual premises - the kind of background assumptions a reader is least likely to question. That makes FORGE qualitatively different from simpler prompt-injection attacks, where the malicious instruction is usually visible if you look for it.
The paper also proposes a lightweight defense - Root Query Anchoring - that ties each recursive follow-up back to the original question, cutting the PRISM score roughly in half in tests. That's a meaningful reduction, but 18.3% residual contamination is not nothing, and real-world retrieval pools are considerably messier than a controlled 25-query benchmark.