New Attack Class: Agent Data Injection (ADI) in AI Agents
Researchers uncovered a new attack class that tricks AI agents via fake trusted metadata, exposing critical vulnerabilities in Claude, Codex, and Gemini CLI agents.
A new research paper identifies an underexplored subclass of indirect prompt injection called Agent Data Injection (ADI), distinct from the well-studied 'instruction injection' attacks that most existing defenses target. Instead of disguising malicious input as a command, ADI hides it as seemingly trustworthy metadata — such as resource identifiers, data origin tags, or tool call/response formats — causing agents to unknowingly act on attacker-controlled data.
The authors demonstrate real-world exploits across multiple production agents: arbitrary click attacks against web agents (Claude in Chrome, Antigravity, Nanobrowser), and remote code execution plus supply-chain attacks against coding agents (Claude Code, Codex, Gemini CLI). Evaluations show ADI is effective both against standalone LLMs and full agentic systems, easily slipping past current IPI mitigations.
For engineers building or securing AI agents, the takeaway is significant: today's agent architectures lack proper isolation between trusted and untrusted data, a fundamental security gap that existing prompt-injection defenses don't address. The findings suggest a need for stricter data provenance verification and context-boundary enforcement in agent design.