Varying the wording of planted documents can make retrieval poisoning 5.7 times more effective - and invisible to standard duplicate-detection filters, new research shows.
Researchers released a benchmark targeting what they call "polymorphic sybil poisoning," a coordinated attack on retrieval-augmented generation systems. Where simpler attacks copy the same malicious text into multiple documents - and get caught by near-duplicate filters - polymorphic attacks use different wording each time, all steering toward the same attacker-chosen answer. Under a controlled protocol that strips out retrieval luck, polymorphic variants achieved a 22.8% hijack rate versus 4.0% for the monomorphic baseline: a 5.7x amplification across a benchmark of 3,145 questions and 2,982 sybil groups, tested on five AI readers from 7B to 120B parameters.
RAG - grounding AI answers in fetched documents rather than model memory - underpins most enterprise AI assistants, making retrieval integrity a live security question. The paper also challenges how the field measures these attacks: attack success rate (ASR) counts only outputs matching the attacker's target answer, leaving the 47-66% of outputs that instead shift to abstention or drift entirely unmonitored. Two tested readers at nearly identical ASR scores diverged by 16.5 percentage points on abstention and 17.2 on drift - failure modes that look very different to anyone running these systems in production.
A benchmark that exposes what the standard metric can't see is useful; the harder part is getting security teams to adopt the richer scorecard before the attacks do.