Agent Data Injection: A New Attack Class That Bypasses AI Agent Defenses
Researchers from Seoul National University and the Universities of Indiana and Wisconsin introduce Agent Data Injection (ADI) — a new attack type that embeds malicious data into trusted data structures of agents, achieving arbitrary click attacks and remote code execution on Claude Code, Codex, and Gemini CLI while bypassing existing defenses.
This article was generated using artificial intelligence from primary sources.
AI agent security research has until now focused primarily on one class of attacks: instruction injection, where an attacker embeds false instructions into untrusted data that the agent processes, attempting to lead the agent to treat them as legitimate user commands. The community has developed a range of defenses designed to detect and block such attempts. But researchers from Seoul National University and the Universities of Indiana and Wisconsin, in a paper published July 6, 2026, document an attack class that literally bypasses those defenses — and operates on an entirely different principle.
What Is Agent Data Injection and Why Has It Been Invisible Until Now?
Agent Data Injection (ADI) does not target prompts. Instead, malicious content is inserted into structures that agents treat as trusted data — metadata such as resource identifiers and data sources, or the formats used for tool responses and tool call structures. Agents do not scrutinize these structures with the same degree of skepticism they should apply to untrusted text.
The difference is fundamental. Instruction injection attempts to camouflage an attack in natural language — the attacker writes text that looks like a legitimate instruction. ADI does not: the attack is encoded in structured data that the agent assumes to be part of the normal operating protocol. Existing defenses looked for instructional content in places where it should not appear; ADI changes both its form and its location.
Three Attack Classes: From Arbitrary Clicks to Supply-Chain Compromise
The researchers identify three distinct ADI attack classes, each with different objectives and mechanisms:
Arbitrary click attacks target web agents that autonomously navigate user interfaces and execute actions on behalf of the user. Malicious metadata embedded in web content — such as fake element identifiers or manipulated browser API responses — leads the agent to click on unauthorized elements, potentially activating purchases, confirming transactions, or disclosing sensitive data.
Remote code execution (RCE) attacks target coding agents that write, analyze, and run code. ADI manipulates tool call response formats — information the agent receives back from tools such as the file system or debugger — to cause the agent to execute the attacker’s code in the user’s environment.
Supply-chain attacks use the same mechanism to compromise development processes: the attacker injects malicious code under the guise of legitimate data about packages, libraries, or development dependencies that the coding agent downloads and integrates.
Vulnerable Commercial Agents: Claude Code, Codex, and Gemini CLI
The researchers did not demonstrate attacks only on experimental systems — they tested real commercial products available to users:
For arbitrary click attacks: Claude in Chrome, Antigravity, and Nanobrowser were shown to be vulnerable to malicious metadata embedded in web content that agents process.
For RCE and supply-chain attacks: Claude Code, Codex, and Gemini CLI — the three leading coding agents on the market — were shown to be vulnerable to manipulation of tool response formats.
The breadth of affected systems is not coincidental: as the authors emphasize, ADI targets a fundamental design flaw common to all of these agents, not a specific implementation bug in any one of them.
Fundamental Security Flaw in Agent Design
The root cause the authors identify is clear: current agents do not isolate trusted data from untrusted data. This is not an edge case of implementation — it is a fundamental security principle that is consistently neglected in the design of modern agent systems.
The analogy to software engineering is useful: SQL injection attacks have exploited for decades the fact that applications did not separate SQL code from user data. The solution (parameterized queries, prepared statements) required architectural, not merely filter-level, changes. The authors suggest analogous thinking for ADI: adding a filter that looks for instructional content in data is not sufficient. Architectural isolation at the level of the agent runtime is necessary.
ADI bypasses existing instruction prompt injection (IPI) defenses because those defenses assume the attack arrives in the form of instructions — not in the form of structured data that appears legitimate. As long as agents trust all structured data without verifying source and integrity, that gap remains open.
The paper spans 19 pages, 19 figures, and 7 tables and is available on arXiv (2607.05120). The authors are Woohyuk Choi, Juhee Kim, Taehyun Kang, Jihyeon Jeong, Luyi Xing, and Byoungyoung Lee.
Frequently Asked Questions
- How does ADI differ from known instruction injection attacks?
- Instruction injection manipulates natural-language prompts so that the agent receives unauthorized instructions. ADI injects malicious data disguised as trusted data structures — resource identifier metadata or tool-response formats — exploiting the agent's trust mechanism for structured data, not the prompt itself.
- Which real commercial agents were vulnerable to ADI attacks?
- Researchers demonstrated arbitrary click attacks on Claude in Chrome, Antigravity, and Nanobrowser, and remote code execution and supply-chain attacks on Claude Code, Codex, and Gemini CLI — all real commercial products available to users at the time of the research.
- What is the root cause of ADI vulnerability and how should it be addressed?
- The root cause is the absence of isolation between trusted and untrusted data in agent architecture. The authors note that this is a fundamental security principle that current agents do not apply, and addressing it requires architectural changes, not merely the addition of new filters.