Advertisement
Security

The Silent Sabotage: How MemGhost Alters AI Agent Memories

A new automated attack technique can plant persistent, invisible false memories into AI agents through a single, malicious email.

·5 hours ago·2 min read
a blue abstract background with lines and dots
Photo by Conny Schneider on Unsplash
Advertisement

The Mechanics of Memory Poisoning

Modern AI agents, such as the open-source OpenClaw framework, are designed to retain context across sessions by maintaining persistent state files. These files, specifically AGENTS.md and MEMORY.md, store user preferences and instructions, acting as the foundation for the agent's perceived personality. By exploiting this persistent storage, researchers have developed MemGhost, a tool that automates the injection of false information directly into these memory stores without triggering user intervention.

The attack begins when an agent processes a routine email. If that message contains specially crafted instructions, the agent may execute its own file-writing tools to update its internal memory with attacker-supplied misinformation. Because the agent is programmed to handle these tasks quietly in the background, the user typically receives no notification that their digital assistant has been modified or that its future outputs have been compromised.

Evidence of Automated Exploitation

The researchers conducted extensive testing to determine the efficacy of the MemGhost attack across various configurations and model versions. The results indicate that the automation of these prompts significantly improves success rates compared to manually crafted injection attempts.

  • 87.5% success rate in background-mode runs against OpenClaw on GPT-5.4
  • 71.4% success rate against a Claude Code SDK agent on Sonnet 4.6
  • 108 cases tested in the WhisperBench benchmark framework

An input filter built to catch poisoned emails missed MemGhost's message more than nine times in ten, and a model specially hardened to ignore instructions that arrive by email still followed the planted one about half the time.

Historical Context of Agent Attacks

The concept of manipulating AI memory is not entirely new, but previous methods relied on manual labor or specific vulnerability chaining. In 2024, researcher Johann Rehberger demonstrated an early iteration of this threat against ChatGPT, which he called it SpAIware. Following this, the EchoLeak (CVE-2025-32711) incident in June 2025 highlighted how hidden-text emails could force Microsoft 365 Copilot to disclose sensitive internal information.

Unlike these predecessors, MemGhost emphasizes persistence. By automating the creation of poisoned content, the tool ensures that once a false memory is saved, it remains within the agent’s context indefinitely. This shift from transient data exfiltration to long-term behavioral steering marks a notable evolution in how attackers may seek to subvert AI autonomy.

Defensive Implications for Enterprise

The primary challenge for organizations is that standard security policies often categorize simple prompt injection as out-of-scope for remediation. Because MemGhost utilizes the agent's own legitimate file-writing tools, it avoids standard authorization boundaries. This leaves businesses and developers with a narrow set of defensive options, such as separating email ingestion from the agent's core memory access or implementing strict provenance checks for all data entering the persistent store.

While OpenClaw has noted that its current security guidance advises routing untrusted mail through a restricted reader agent, the vulnerability highlights a fundamental tension: the more functional an agent is, the more sensitive it becomes to external input. Until robust auditing and human-in-the-loop confirmation requirements become industry standard, any agent that automatically parses untrusted communication and writes to memory remains at risk of subtle, persistent manipulation.

#ai security#prompt injection#data integrity#open source#cybersecurity
← Back to all stories
Advertisement