Memory Injection Attacks on LLM Agents via Query-Only Interaction

TL;DR

Powerful LLM agents rely on memory-based demonstrations, but a compromised memory bank can leak harmful outputs. The authors present MINJA, a query-only memory-injection attack that uses bridging steps, an indication prompt, and Progressive Shortening to inject malicious records that steer victim queries toward a malicious target. Across three agent types and four victim-target pairs, MINJA achieves high Inject Success Rate (ISR) and strong Attack Success Rate (ASR) while largely preserving benign utility, revealing a realistic security risk. The work highlights the need for memory hardening, memory isolation, and defense-aware prompt design in memory-augmented LLM agents.

Abstract

Agents powered by large language models (LLMs) have demonstrated strong capabilities in a wide range of complex, real-world applications. However, LLM agents with a compromised memory bank may easily produce harmful outputs when the past records retrieved for demonstration are malicious. In this paper, we propose a novel Memory INJection Attack, MINJA, without assuming that the attacker can directly modify the memory bank of the agent. The attacker injects malicious records into the memory bank by only interacting with the agent via queries and output observations. These malicious records are designed to elicit a sequence of malicious reasoning steps corresponding to a different target query during the agent's execution of the victim user's query. Specifically, we introduce a sequence of bridging steps to link victim queries to the malicious reasoning steps. During the memory injection, we propose an indication prompt that guides the agent to autonomously generate similar bridging steps, with a progressive shortening strategy that gradually removes the indication prompt, such that the malicious record will be easily retrieved when processing later victim queries. Our extensive experiments across diverse agents demonstrate the effectiveness of MINJA in compromising agent memory. With minimal requirements for execution, MINJA enables any user to influence agent memory, highlighting the risk.

Figures (8)

• Figure 1: (Top) Previous Work assumes direct access to the memory bank, allowing the attacker to overwrite memory content arbitrarily. (Bottom)MINJA operates via query-only interaction: During the injection stage, the attacker begins by inducing the agent to generate target reasoning steps and bridging steps by appending an indication prompt to an attack query -- a benign query containing a victim term. These reasoning steps along with the given query are stored in the memory bank. Subsequently, the attacker progressively shortens the indication prompt while preserving bridging steps and targeted malicious reasoning steps. When the victim user submits a victim query, the stored malicious records are retrieved as a demonstration, misleading the agent to generate bridging steps and target reasoning steps through in-context learning.
• Figure 2: Each indication prompt (the content in parentheses appended to the attack query) is a sequence of logically connected reasoning steps designed for a specific dataset to induce the agent to generate the bridging steps connecting victim-related $\mathcal{a}_v$ and target-related $R_{\mathcal{a}_t}$. The vertical lines "$|$" in the figure divide the indication prompt into multiple sections, each representing content removed during the shortening iteration process.
• Figure 3: Performance of MINJA for various embedding models used for memory retrieval.
• Figure 4: Victim-target pairs for each dataset
• Figure 5: Visualization of poisoned memory