GhostWriter Attack Poisons LLM Agent Memory, Poses Security Risk

George Torres, Sharad Shrestha, Satyajayant Misra· July 9, 2026 View original

Summary

This paper introduces GhostWriter, a novel memory poisoning attack that exploits current memory subsystems in tool-using personal AI agents. The attack achieves high injection and activation rates, highlighting a critical security vulnerability due to a lack of memory governance, and proposes AM-Sentry as a mitigation.

The proliferation of personal AI agents powered by large language models (LLMs) that interact with sensitive information and untrusted sources introduces new security vulnerabilities. This research identifies a novel attack vector called GhostWriter, which specifically targets the long-term memory subsystems of these tool-using agents. The attack operates in two phases: an injection phase where a hidden malicious payload is sent to the agent, and an activation phase where the poisoned memory is retrieved and executed. GhostWriter demonstrates alarming effectiveness, achieving nearly universal injection rates (around 98%) and high average activation rates (approximately 60%) against state-of-the-art agents. This vulnerability stems from the current lack of robust security-focused memory governance in these systems. In response, the authors propose Agentic Memory Sentry (AM-Sentry), a mitigation strategy employing a memory-saving policy and a memory-retrieval screen. Experiments show AM-Sentry significantly reduces GhostWriter's success rate while maintaining agent utility.

Why it matters

As LLM agents become more integrated into personal and professional workflows, understanding and mitigating memory poisoning attacks is crucial for ensuring data privacy, security, and the trustworthiness of AI systems.

How to implement this in your domain

  1. 1Implement robust memory governance policies for any LLM agents handling sensitive information or interacting with external tools.
  2. 2Integrate memory-saving policies and retrieval screens, similar to AM-Sentry, into agent architectures.
  3. 3Conduct thorough security audits and penetration testing specifically targeting memory subsystems of AI agents.
  4. 4Educate users and developers about the risks of memory poisoning attacks and best practices for agent interaction.

Who benefits

CybersecuritySoftware DevelopmentEnterprise AIFinancial ServicesHealthcare

Key takeaways

  • LLM agents with long-term memory are vulnerable to novel memory poisoning attacks like GhostWriter.
  • GhostWriter achieves high injection and activation rates due to a lack of memory governance.
  • The attack poses significant risks to data privacy and agent trustworthiness.
  • AM-Sentry, a proposed mitigation, can dramatically reduce attack success rates.

Original post by George Torres, Sharad Shrestha, Satyajayant Misra

"arXiv:2607.06595v1 Announce Type: cross Abstract: Personal AI agents powered by large language models can reason and act using available tools to access emails, manage calendars, and push code to remote repositories, all with minimal oversight. When augmented with long-term memor…"

View on X

Originally posted by George Torres, Sharad Shrestha, Satyajayant Misra on X · view source

Want to go deeper?

Turn these trends into skills with Learnijoy's hands-on AI & tech courses.

Explore courses

More in AI Engineering & DevTools

AI ResearchAI Engineering & DevTools

Transformers Learn Non-Invertible Modular Multiplication via Stratified Fourier Mechanisms.

This research investigates how small transformers learn modular integer multiplication over composite moduli, a non-invertible operation. It proposes the "monoid extension" theory, suggesting models partition input space into hierarchical algebraic regions where Fourier mechanisms apply, explaining how embeddings, attention, and local features contribute to the computation.

Zitong Andrew Chen, Junaid Hasan, Akhil Srinivasan, Hemkesh Bandi, Jarod AlperJul 9, 2026
AI Engineering & DevToolsAI Research

New Interpretable Model Handles Feature Interactions in Tabular Data.

This paper introduces Interaction Aware Interpretable Machine Learning (IAIML), a framework for tabular data that addresses the limitation of traditional interpretable models in capturing feature interactions. IAIML uses adaptive discretization, pairwise interaction scoring, and a partitioned explanation budget to achieve high accuracy while maintaining interpretability.

Srikumar KrishnamoorthyJul 9, 2026
AI ResearchAI Engineering & DevTools

Principles of Deep Feedforward ReLU Networks Unveiled.

This paper systematically studies the mechanisms of deep feedforward ReLU networks, generalizing principles from two-layer networks to deeper architectures. It explains how hidden-layer units form piecewise linear manifolds to divide input space and how paths and their relationships are central to understanding the back-propagation training solution.

Changcun HuangJul 9, 2026