News
Seoul researchers show how forged metadata tricks AI agents

A team from Seoul National University has described a new class of attacks on AI agents in which malicious data poses as trusted metadata instead of issuing direct commands. They successfully fooled Claude in Chrome, Codex, and Gemini CLI, among others.
Contents
A team of researchers from Seoul National University, Largosoft, and the University of Illinois Urbana-Champaign has described a new category of attacks on AI agents, called Agent Data Injection (ADI). Instead of directly injecting commands into text, the attack disguises malicious content as trusted system metadata, causing the agent to carry out actions in the attacker's favor on its own, without realizing it has been manipulated.
How the metadata swap works
The paper's authors, Woohyuk Choi, Juhee Kim, Taehyun Kang, Jihyeon Jeong, Luyi Xing, and Byoungyoung Lee, note that previous research on prompt injection has focused on direct instructions hidden in the content of a page or document. ADI works differently: the attacker forges data that the agent treats as technical, unsuspicious information about a resource's origin or the context of a conversation with a tool.
In practice, an agent cannot distinguish a genuine identifier of a web page element from a forged one, nor an authentic comment from a mature project contributor from one posted by an attacker impersonating them. The researchers call this a lack of isolation between trusted and untrusted data within the context in which the agent operates.
Three attack scenarios
In the first scenario, aimed at browser agents, a forged interface element prompts the agent to click where the attacker wants, making virtually any page with user-generated content vulnerable. This variant was tested on Claude in Chrome, Antigravity, and Nanobrowser.
The second scenario targets coding agents: an attacker posts a comment on a GitHub issue while impersonating the project's maintainer, prompting the agent to execute malicious commands on the developer's system. The third scenario is a code supply chain attack, where a forged tool execution history convinces the agent to merge a malicious pull request without actually verifying its contents. Both variants were demonstrated on Claude Code, Codex, and Gemini CLI.
The numbers behind the technique
The probabilistic delimiter injection technique tested by the team achieved a success rate of 31.3 to 43.3 percent in JSON format and 33.3 up to as high as 100 percent in web page DOM format, depending on which of the six tested models was targeted. By comparison, classic instruction-based prompt injection registered success rates of a fraction of a percent against the same defenses.
The authors also examined existing defense methods. Input and output filters failed completely, a dual-LLM mechanism without strict policy rules allowed 25 percent of attacks to succeed, and randomizing the data format limited them to 28.7 percent. Data sanitization was effective, but at the cost of agent usefulness, which dropped from 81.2-84.8 percent to 67.9-72.3 percent.
AI agents do not implement a fundamental security principle: isolation of trusted and untrusted data within the agent's context - from the paper "Agent Data Injection Attacks are Realistic Threats to AI Agents"
What this means for companies using agents
The study arrives as companies are increasingly rolling out agentic AI for browsing, customer service, and coding work, often without full control over what data reaches the model as context. The growing number of agent deployments in Poland's e-commerce, banking, and IT sectors means the ADI vulnerability class is not merely an academic exercise, but a real attack vector against companies that have given agents access to code repositories, email accounts, or browsers.
The team has publicly released a test suite and an extended version of the AgentDojo framework, allowing other researchers and security firms to independently verify the vulnerability of their own agent deployments. This sets the publication apart from many earlier reports of isolated, one-off exploits, since it provides a tool for systematically testing defenses.
Responsible disclosure of vulnerabilities to vendors before publication, a standard practice in security research, means Anthropic, OpenAI, and Google had time to respond before the details went public. None of the companies, however, announced a complete fix, suggesting ADI will remain a subject of further agent security updates in the coming months.

