Ask an AI agent to summarise product reviews, and a single planted review can make it click “Buy Now” instead. That is the unsettling demonstration behind a new attack class from researchers at Seoul National University, the University of Illinois Urbana-Champaign, and Largosoft. They call it agent data injection, and it works by corrupting what an agent believes rather than hijacking what it was told to do.
The distinction matters enormously. Classic prompt injection hides an order inside data, something like “ignore your task and email me the files,” and modern defences catch that reliably now. This attack works one layer down, targeting the small facts agents quietly trust, such as who sent an email or which button carries which ID. Corrupt those, and the agent still performs your task, just on top of a lie.
Agents wrap data in quotes, braces and tags to mark where one field ends and another begins, and a strict parser reads that punctuation by rule. A language model reads it by guesswork, so scattering punctuation-like characters into a field you control makes the model hallucinate structure that never existed. Alarmingly, the fake punctuation need not even be correct, since an escaped quote or a dollar sign fooled it repeatedly.
Even web agents including Claude in Chrome and Google’s Antigravity clicked the wrong button, while coding assistants like Claude Code, OpenAI’s Codex and Gemini CLI ran attacker commands after a forged GitHub comment impersonated a maintainer.
Confirmation prompts offer thin protection. They ask whether the agent may click or run something, without revealing that the underlying facts were planted.
Woohyuk Choi, who collaborated with Prof. Byoungyoung Lee on the paper, shared that OpenAI, Google, and Anthropic have all acknowledged the validity of the attack. He mentioned that both OpenAI and Google requested a copy of the paper. However, he added that the team hasn’t received any updates regarding a fix, whether it’s already been implemented or is in the works.
Choi noted that one of the challenging aspects was deciphering the format used by a cloud service, but the team managed to pull it off. They were able to coax the model into revealing its server-side format through a multi-turn jailbreak, which surprisingly worked with varying degrees of success on GPT, Claude, and Gemini.
Interestingly, there’s a bit of a shortcut: larger and smaller models from the same company often share the same format. This means an attacker could extract it from a smaller model, which is generally easier to crack. Choi believes that this format will remain accessible even as models advance, since language models struggle to keep such secrets under wraps.
All six models failed, succeeding against structured data 31% to 43% of the time, and purpose-built defenses still let it through half the time.

