Researchers Warn of 'Agent Data Injection' That Can Trick AI Agents via Trusted Fields
A newly posted research paper on arXiv argues that AI agents may face a broader security problem than standard prompt injection: attackers can hide malicious input inside data fields that agents treat as trusted, potentially causing unintended actions such as clicks, code execution or software supply-chain changes.
The paper, titled “Agent Data Injection Attacks are Realistic Threats to AI Agents,” was posted July 6 by Woohyuk Choi, Juhee Kim, Taehyun Kang, Jihyeon Jeong, Luyi Xing and Byoungyoung Lee. The authors list affiliations including Seoul National University, Largosoft and the University of Illinois Urbana-Champaign. Their central claim is that many current defenses are designed to stop attacker text from being interpreted as direct instructions, but can be bypassed if the malicious content is inserted into metadata or structured context the agent already trusts. As a public arXiv preprint, the paper is a research claim, not by itself proof that vendors have confirmed every finding.
The researchers call this attack class Agent Data Injection, or ADI. In the paper’s words, “ADI injects malicious data disguised as trusted data.” That matters because AI agents — systems that browse websites or use coding tools on a user’s behalf — often combine information from multiple sources before deciding what to do next.
The paper claims proof-of-concept attacks against several named products. For web agents, it names Claude in Chrome, Antigravity and Nanobrowser, and says the attacks enabled arbitrary clicks. For coding agents, it names Claude Code, Codex and Gemini CLI, and says the attacks enabled remote code execution and supply-chain attack scenarios.
Prompt injection is already a known security issue for AI systems, especially agents with access to browsers, terminals or other tools. Most prior defenses try to stop untrusted text from being treated like a command. The new paper argues that approach is incomplete because attackers may not need to write obvious instructions at all. Instead, they can manipulate fields that look like ordinary metadata, labels or structured data, exploiting the fact that trusted and untrusted inputs are not cleanly separated.
One technique described in the paper is “probabilistic delimiter injection,” in which delimiter-like strings placed in untrusted fields can cause a large language model to reinterpret attacker-controlled content as trusted metadata. The paper does not present this as a niche edge case. Across six off-the-shelf models, the authors report attack success rates of 31.3% to 43.3% on JSON formats and 33.3% to 100.0% on web DOM data, the structured code browsers use to represent a page. Overall ADI attack success rates reached up to 50.0%, the paper says, while defended instruction-injection cases were 0.0% to 0.7%.
That claim lands at a moment when agent security is already under scrutiny. AI coding agents and other tool-using systems have faced public security advisories in 2026, including around Gemini CLI. The new paper’s contribution is narrower but important: it argues the weakness is architectural, not just a matter of filtering suspicious instructions.
The authors say they disclosed the issues before submitting the paper. “We reported all vulnerabilities to affected agent vendors before submission, including Anthropic, OpenAI, Google, and Nanobrowser,” the paper says. According to the authors, OpenAI, Google and Anthropic acknowledged the reports, while they had not yet received a response from Nanobrowser at the time of submission.
Even so, no public vendor advisories specifically referencing this paper were found as of July 7. The paper also says artifacts were released on GitHub at github.com/compsec-snu/adi, but that repository was not publicly reachable when checked, limiting immediate independent reproduction from the cited link.
Why the paper matters is not that it proves a live attack campaign. It is that it suggests AI agent security may depend not only on blocking malicious instructions, but also on how systems separate trusted data from untrusted input. For now, though, the findings remain those of an arXiv preprint rather than a peer-reviewed or publicly vendor-validated report.