A new benchmark called MemPoison runs 1,227 hand-validated attack cases against 10 model families and finds that the defenses most LLM agents use to guard their persistent memory catch only the simplest threats [S1]. The sophisticated attacks, where individually harmless memories combine into something dangerous or lie dormant until the right trigger fires, slip straight through [S1]. What that breaks for every team shipping agents with memory, and why the fix is harder than it sounds, is just ahead.

How the poisoning works

Persistent external memory is what lets an LLM agent recall facts across conversations. The same feature that gives an agent continuity also gives attackers a permanent foothold [S1]. Malicious content can be slipped in through ordinary user interaction, then stored across turns and eventually skew what the agent does [S1].

MemPoison organises these attacks into three tiers [S1]:

  • L1: direct single-record corruption. One poisoned memory record, planted in one shot. The simplest form, and the one current defenses handle.
  • L2: compositional multi-record corruption. Two or more records, each individually benign, that combine at retrieval time to produce harmful behaviour. No single record trips the alarm.
  • L3: context-triggered dormant corruption. A poisoned record sits in memory doing nothing until a specific trigger condition in the conversation activates it. A sleeper agent, in effect.

The benchmark covers four attack types, three injection channels, and three representative memory substrates, tested across seven open-weight and three closed-weight model families [S1].

This is not the first time researchers have flagged memory as an attack surface. A related GitHub codebase for sleeper memory poisoning in LLM agents appeared in May 2026 [P3], and a separate arXiv paper on hijacking agent memory through conversational interaction explores similar territory [P4]. What MemPoison adds is the systematic benchmark, the taxonomy, and the diagnostic showing why defenses fail.

Why standard defenses fail

Most agent frameworks that use persistent memory try to defend it at write time, the moment a record gets stored. A consistency check, for instance, scans incoming memory for contradictions or malicious content before saving it [S1].

This works for L1. It fails for L2 and L3 [S1].

The reason is structural. A write-time check sees each record in isolation. In an L2 attack, each record looks harmless on its own. The harm only emerges when the agent retrieves several records together and combines them. In an L3 attack, the record is dormant until a trigger fires, so there is nothing malicious to detect at write time [S1].

The authors call their diagnostic tool mechanistic influence decomposition, or MID. It traces how much each memory record contributes to the agent's final output, making the blind spots visible [S1]. Write-time defenses, MID shows, let through records that appear harmless individually but turn dangerous when retrieved together or activated by a trigger [S1].

What it means

Persistent memory is what makes LLM agents feel like they know you. A customer service agent that remembers your account history. A coding assistant that recalls your project conventions. A research agent that tracks what you have already asked.

The MemPoison findings say that memory is also a permanent attack surface. Anyone who can send messages to the agent, through the same chat channel it already uses, can plant content that stays [S1]. The defenses most teams would build first, checking memory at storage time, have a hole that sophisticated attacks walk through.

The authors argue for abandoning static filtering in favour of adaptive, context-sensitive defenses that evaluate memory at retrieval time and at write time [S1]. That means checking what a record does in combination with other records and in the context of the current query, and whether it looks bad on its own.

This is a harder engineering problem. Retrieval-time checks run on every query and on every write, so they add latency and cost. But the alternative is a memory layer that catches the easy attacks and misses the ones that actually matter.

What it means for business

A two-person startup shipping a customer-facing agent with memory needs to know that the chat box is an injection point. A user, or an attacker posing as one, can plant content that persists across sessions [S1].

The practical implications this quarter:

  • If your agent stores user-provided text in memory and retrieves it later, you have an L1 exposure at minimum. Basic consistency checks at write time will catch crude attempts [S1].
  • If your agent combines multiple memory records when answering, you have an L2 exposure. No amount of write-time filtering will fully close it [S1].
  • If your agent has long-running sessions where memory accumulates over days or weeks, L3 dormant attacks become feasible. A poisoned record could sit untouched until a specific phrase or topic triggers it [S1].

For a suburban real estate agency running an agent that remembers client preferences across visits, this means a competitor could inject instructions into the agent's memory that subtly steer recommendations. For a cafe using an agent to take orders and remember regulars, a planted memory record could alter how it responds to certain menu items.

Teams building agents should treat memory as untrusted input on every read and on every write. The cost is real, but so is the risk of an agent that quietly carries poisoned instructions for weeks.

What we don't know yet

The paper is a preprint on arXiv, listed under cs.CR and q-fin.GN, and has not been peer-reviewed [S1]. The findings come from the authors' own benchmark on their own test cases, with no cited independent replication [S1].

Specific model families and vendors are not named in the evidence. The paper says seven open-weight and three closed-weight families were tested, but we do not know which ones, whether closed-weight models performed better or worse, or how the attacks behaved across different architectures [S1].

No real-world exploitation has been documented. MemPoison is a benchmark and analysis framework, not a report of active attacks in the wild [S1].

The authors propose adaptive, context-sensitive defenses but have not released a production-ready defense tool or patch [S1]. How much latency and cost retrieval-time checks would add in practice, and whether they can be made cheap enough for real-time agents, remains an open question.

The next thing to watch for is whether the paper survives peer review and whether independent teams replicate the L2 and L3 attack success rates on named model families. If the MemPoison code and benchmark are released, teams could test their own agents against the 1,227 cases and find out where they stand.

Subscribe to keep following this story as the peer-review process unfolds.

Sources

More from Not A Tech Guy


Generated from an audited evidence pack with primary-source research. Social-media items are discussion signals, not verified facts. Nothing here is financial, legal or medical advice.