Ask an AI agent to summarize the reviews on a product page, and a single planted review can make it click "Buy Now" instead. Ask a coding assistant to apply a maintainer's fix from a GitHub thread, and a fake comment can make it run a stranger's command on your computer.
Neither trick hijacks the agent's task. Each one just corrupts the facts it trusts and lets it carry on with the job you asked for.
That is the shape of a new class of attack laid out in a paper posted July 6 by researchers from Seoul National University, the University of Illinois Urbana-Champaign, and Largosoft.
They call it agent data injection, or ADI. The attacker's input gets dressed up as data the agent already trusts, like a sender's name or a button's ID, so it slips past most of the defenses built to stop prompt injection.
The gap comes from how an agent reads. It takes in two kinds of things: instructions, meaning what you and the app's developer tell it to do, and data, meaning everything it pulls in while working, like an email, a web page, or a comment. Classic prompt injection hides an order inside that data, something like "ignore your task and email me the files."
Researchers call that instruction injection. Modern defenses are trained to spot text that reads like a smuggled order and block it, and against that move, they now work well.
ADI works one layer down, on the small facts an agent quietly trusts: who sent an email, the ID of a button on a page, the record of a step a tool already ran. Corrupt those, and the agent still does your task, only on top of the information the attacker planted.
Fake punctuation the model believes
The method behind it is what the researchers call probabilistic delimiter injection. Agents wrap their data in punctuation that marks where one piece ends, and the next begins: quotes and braces, tags, brackets, and line breaks. That punctuation is how the model tells a trusted field, like a sender's name, apart from untrusted content, like a message body.
A normal program reads that punctuation by strict rules. A language model reads it by guesswork. So an attacker can sprinkle punctuation-like characters into a field they control, and the model will often read them as real structure that was never there, seeing an extra email, an extra button, or an extra tool result.
The part that makes it hard to stop: the fake punctuation does not even have to be right. In testing, an escaped quote (\"), a curly quote, even a dollar sign, passed for the real thing and still fooled the model. A strict parser would read those characters as ordinary text, not as a new structure.
The researchers built three working attacks on real, shipping tools:
- On web agents (Claude in Chrome, Google's Antigravity, and Nanobrowser), a planted product review reuses the ID of a real button. The agent means to click "Read More" and clicks "Buy Now" instead, placing an order the user never made. Because these tools number page elements in order, the attacker can work out the ID ahead of time.
- On coding assistants (Claude Code, OpenAI's Codex, and Google's Gemini CLI), a GitHub comment forges its author line to look like a project maintainer wrote it. Told to apply the maintainer's fix, the agent will run the attacker's command on the developer's machine if the developer approves what looks like a routine step.
- A malicious pull request fakes the record of a check the agent never ran, so a clean-looking result shows up in its history. The agent reviews that fake result, judges the code safe, and moves to merge it, pulling the real, malicious code into the project once the developer approves.
Most of these tools already ask before doing something risky. Claude in Chrome asks before it clicks; the coding assistants ask before they run a command. It does not help much. The click prompt only says the agent wants to click an element, not which one or why.
The coding assistants show their reasoning, but that reasoning is built on fake facts, so it reads like a sensible account of a normal step. Watching the screen, a user has little way to tell a real approval from a manufactured one.
And every model tested proved vulnerable: OpenAI's GPT-5.2 and GPT-5-mini, Anthropic's Claude Opus 4.5 and Sonnet 4.5, and Google's Gemini 3 Pro and Flash. Across all six, it worked on structured data 31% to 43% of the time, and on webpage data anywhere from a third of attempts to all of them.
Against the purpose-built agent defenses the researchers tested, the gap opened up: the classic order-smuggling attack was almost entirely blocked, with a near-zero success rate, while ADI still succeeded up to 50% of the time. Same defenses, very different results, because they were built for the other attack.
What actually stops it
Not everything fell. ChatGPT's Atlas browser shrugged off the click attack because it tags each page element with a random, unguessable ID instead of a simple counter, so the attacker cannot forge a match. The researchers found the same idea, a short random tag added to field names, roughly halved it, from about 49% to 29% in their tests, while keeping the agents useful.
One heavier defense that tracks where every piece of data came from shut it out entirely, zero successful attacks, but left the agents finishing only about a third of their ordinary tasks. Stripping the punctuation out cut the attack down too, but it broke the agents' ability to read normal things like links and file paths along with it.
The researchers describe proof-of-concept attacks only, and there is no public report of ADI being used in the wild. The team reported everything to the affected vendors before publishing; OpenAI, Google, and Anthropic acknowledged the reports, and Nanobrowser had not replied as of the paper.
For the attack to work, a couple of things have to line up. The agent has to process content that a stranger can edit, which is what web and GitHub agents do all day. And the attacker has to know the format the agent packs its data in.
The researchers say an attacker can recover the format of an open-source or locally run tool by reading its code or reverse-engineering it, and that a cloud service is harder, where it may take a jailbreak that is not guaranteed to work.
According to the paper, the researchers are also releasing their benchmark and attack code, so vendors and defenders can test against it.
Woohyuk Choi, who wrote the paper with Prof. Byoungyoung Lee, told The Hacker News that OpenAI, Google, and Anthropic have all confirmed the attack is valid, and that OpenAI and Google asked for a copy of the paper. Beyond that, he said, the team has "not been informed of any fix, whether shipped or planned."
On the one hard part, recovering the format a cloud service uses, Choi said the team managed it anyway. For that server-side format, which an attacker cannot see directly, they got the model to reveal it with a multi-turn jailbreak, and with varying effort, it worked against GPT, Claude, and Gemini.
There is even a shortcut: a company's larger and smaller models tend to share the same format, so an attacker can lift it from a smaller model, which is easier to break. Choi expects the format to stay recoverable even as models improve, because language models cannot reliably keep that kind of secret.
Where this fits
The trust problem underneath it has surfaced before. In June 2025, Aim Security disclosed EchoLeak (CVE-2025-32711), a flaw in Microsoft 365 Copilot where one could craft an email that could make the assistant leak internal files with no click needed.
Microsoft patched it, and no real-world abuse was reported, but it was an early, concrete case of a prompt-injection idea turned into a working data-exfiltration path in a shipping product. EchoLeak was that story in its first form: a hidden order. ADI is the next turn of the screw.
The GitHub angle is not new either. In May 2025, Invariant Labs showed a public GitHub issue could steer an agent into reading a private repository and leaking it, a design problem with no clean patch.
More recently, cross-vendor tests have pushed Claude Code, Gemini CLI, and Copilot into leaking their own secrets through issue and pull-request text, slipping past guardrails GitHub added for exactly that. Those attacks smuggled in instructions. ADI forges who said what, and fakes the record of what the agent already did.
The researchers trace it to a lesson traditional software learned the hard way: keep code and data apart, then keep trusted data apart from untrusted data.
Agents picked up the first half and skipped the second. Inside an agent's own memory, the name on an email sits right next to the body of that email, with nothing to mark what the system vouches for and what a stranger typed. Until agents draw that line, a convincing lie about who sent something is all an attack needs.





