How adversarial feed curation steers LLM agent decisions
A June 2026 study shows that choosing which benign posts an LLM agent reads before it acts can tip its decisions — with no injected instruction and no payload a content filter could catch.
What is this?
On June 2, 2026, a paper titled Adversarial Feeds Steer LLM Agent Decisions Against Their Defaults described a manipulation channel that most agent evaluations never test: the upstream ranker that decides which items an agent reads just before it acts. Instead of smuggling an instruction into a document — the classic indirect prompt injection pattern — the study asks a different question. What if every individual post the agent sees is benign, and the manipulation lives entirely in which posts are selected, and in what proportion?
The answer, across thousands of decision rollouts on four open instruct models, is that feed curation alone can shift what an agent decides. This is published, defensive research — no novel attack is being introduced here — and its lesson is that agent security has to audit the feed layer, not just the final prompt.
How it works
The experimental protocol holds everything constant except the feed. The model, the persona, the topic, and the final forced-choice question are fixed. The only thing that varies is the composition and ordering of the posts an agent “scrolls” through during a ten-turn exposure phase before it answers. Because everything else is held constant, any change in the final decision is attributable to feed curation and nothing else.
Critically, no item carries an instruction. The adversarial posts argue one side of a debate persuasively, without named individuals or explicit imperatives. There is no jailbreak string, no injected command, no doctored payload — which is exactly why an input-scanning filter cannot see the attack. The manipulation is the selection of otherwise unremarkable content, and the target is a downstream multi-step decision rather than a single-turn output.
The measured behavior falls into three regimes. Some models capitulate, drifting toward whichever direction the feed pushes. Others saturate, returning a fixed default no matter what they read. The most instructive pattern is a default-direction asymmetry: a one-sided feed reliably tips a decision the model was genuinely uncertain about, yet cannot dislodge one it already holds firmly. The effect follows a dose-response curve, with an onset around two adversarial posts in a batch of five, and it survived a generator swap in which a different model wrote the posts — ruling out a writing-style artifact.
Why it matters
The security implication is concrete and, in the study, includes security-relevant choices, not just soft policy opinions. Where an agent’s safe default is the cautious option — keep a deployment gate in place, keep mandatory MFA and least-privilege access — an adversary who controls upstream ranking can erode that default toward a riskier choice using only benign-looking content. This is close in spirit to RAG opinion manipulation and search-agent endorsement corruption, but it removes the payload entirely.
The exposure is real for any agent wired to a channel a third party can influence: social platforms, search rankings, retrieval-augmented memory, email triage, or a recommender. It is also bounded. The attack only moves contestable decisions with a movable default; two of the four tested models were saturated and did not budge, and the authors note that a preliminary probe found a frontier model retained its reasoned default under the same attack. Susceptibility scales down with model capability and alignment — so this is a graded risk, not a universal break.
Defenses
The paper tests two simple feed-level defenses and finds both help, at least on the cleanest susceptible model.
- Balance the exposure. Enforcing a mix of viewpoints in what the agent reads — rather than letting a one-sided stream accumulate — largely restored the safe default in testing. Diversity constraints on the feed are a direct mitigation.
- Disclose the ranking. Prepending a short, persona-level note that the feed may have been adversarially selected measurably reduced the effect. Telling the agent that its information stream is untrusted is cheap and partially effective.
- Audit the feed layer, not just the prompt. A benchmark that tests only the final prompt misses this control surface entirely. Evaluate agents against adversarial rankers, and report model-specific susceptibility rather than an average.
- Constrain the blast radius. As with the lethal trifecta, the danger peaks when a steered agent can act. Gate high-impact actions behind confirmation, scope permissions tightly, and keep a human in the loop for irreversible decisions so a nudged recommendation cannot execute unchecked.
- Prefer robust defaults. The attack fails against firmly held defaults. Where a decision is security-relevant, pin the safe option as a hard policy rather than leaving it to a movable preference the feed can erode.
Status
| Property | Finding |
|---|---|
| Disclosure | Public research paper, June 2, 2026 (2606.00914) |
| Channel | Upstream ranker / feed curation — no injected payload |
| Models moved | Llama 3.2-3B, Gemma 4 (2 of 4); Qwen 3.5-2B/9B saturated |
| Onset | ≈ 2 adversarial posts per 5-post batch (dose-response) |
| Scope | Tips movable defaults, including security decisions; fails on firm or aligned defaults; frontier model held in a preliminary probe |
| Mitigations | Balanced exposure, ranking disclosure, feed-layer audits, action gating |
The reframing is the point: in an agentic setting, an agent’s output is a function not only of its weights and the user prompt but of the information trajectory a ranker chose for it. The question is no longer only whether a model behaves well on a clean prompt, but who controls what it reads just before it answers.