system: OPERATIONAL
← back to all hacks
DEFENSE MEDIUM NEW

Catching agent memory poisoning from tool-call logs alone

A June 2026 study shows memory-channel poisoning leaves a forensic fingerprint in an agent's tool-call trajectory — a recall-before-send pattern detectable without touching memory, model weights, or message content.

2026-07-16 // 6 min affects: llm-agents, persistent-memory-agents, langchain, langgraph, openai-assistants

What is this?

When an LLM agent keeps a persistent memory, an attacker can plant a malicious instruction in that memory during one session and have it fire in a much later one. This “memory-channel poisoning” is hard to catch: input filters and retrieval-layer checks never see the trigger session, and the agent stores the bad rule through its own authorized write path, so nothing looks anomalous at write time.

A paper published on arXiv on 30 June 2026 (Forensic Trajectory Signatures for Agent Memory Poisoning Detection) makes a useful observation for defenders: even when the poisoning itself is invisible, the execution of the attack is not. When a poisoned agent finally acts, it has to retrieve the attacker’s stored data before it can use it — and that retrieval shows up in the agent’s tool-call log. The author borrows the framing from classical endpoint detection: just as a host-based IDS spots intrusions from system-call sequences without reading process memory, an agent’s tool-call trace can betray a memory-channel attack without inspecting the memory store, the model’s weights, or the content of any message.

How it works

The study focuses on a delayed-trigger exfiltration attack. A malicious “compliance” document is retrieved via RAG, the agent dutifully saves a routing rule (an attacker-controlled destination address) into persistent memory, and in a later session the agent recalls that rule and emails data to the attacker.

The key structural point is that the destination address is stored as a memory value, not a key. Listing memory returns key names only, so to actually learn where to send the data the agent must call the recall operation before it calls the send operation. Sessions that are benign — or where a defense blocked the attack — skip that retrieval and draft their message directly. The result is a behavioral invariant the author calls recall-before-send: in every successful attack session in the dataset, the first recall strictly preceded the first send, with zero exceptions.

That single rule, applied to trigger-session logs, already separates successful attacks from non-attacks with an area-under-curve of about 0.96. A small classifier over roughly nineteen trajectory features (call counts, tool-pair transitions, entry point) pushes this to about 0.99, and — importantly — the signal is overdetermined: stripping out every recall-related feature leaves the score essentially unchanged, because retrieving the rule sets off a downstream cascade (a second draft, an extra send) that imprints on other features too. The signature held across nine open-source models from 7B to 120B parameters and transferred to frontier models with no retraining. We describe the detection mechanism, not any attack recipe.

Why it matters

Memory poisoning is one of the harder agent threats to prevent — companion work from the same author found that five of six defense classes fail against this delayed-trigger attack, because most of them cannot even observe the relevant surface. A detection method that needs only tool-call logs is attractive precisely because those logs are already emitted by production frameworks such as LangChain, LangGraph, OpenAI Assistants, and Anthropic tool use. No memory inspection, no model internals, no extra inference — a far lower operational bar than defenses that require modifying the memory store or reading activations.

The approach also helps with attribution. A prompt-injection attack that carries the destination in the current prompt does not need a memory recall, so it produces a different trajectory. That lets an incident responder tell a memory-channel attack apart from an ordinary prompt injection using the operation log alone — a genuinely useful forensic boundary when reconstructing what an agent did and why.

Defenses

Treat this as detection that complements, not replaces, prevention.

  • Log every tool call with timestamps. The whole method assumes ordered, timestamped tool-invocation logs. Make sure memory reads, drafts, and sends are all captured; retrieval that bypasses the tool layer (internal caches, implicit context injection) leaves no signature.
  • Alert on recall-before-send. Flag trigger sessions where a memory recall precedes an outbound action toward an unusual destination. It is cheap, needs no model access, and catches the dominant pattern on its own.
  • Run detection in two layers. A prefix-only classifier can flag suspicious sessions in real time before the send completes (with modest accuracy loss), backed by a full-session classifier for post-hoc forensic audit.
  • Keep structural prevention. Detection does not stop the attack. Restricting memory retrieval at the tool layer (so the agent cannot silently recall attacker-controlled routing data) remains the strongest structural control; pair it with provenance on memory writes.
  • Calibrate per model. Reasoning models that call recall frequently to self-verify raise false positives. Tune thresholds per deployment and exclude models with idiosyncratic recall habits from a shared threshold.

Status

ItemValue
ClassForensic detection of memory-channel poisoning (defense)
Signal”Recall-before-send” tool-call invariant in the trigger session
Inputs requiredTool-call logs only — no memory, weights, or message content
Reported accuracy~0.96 AUC (single rule) to ~0.99 (full classifier); generalizes 7B–120B and to frontier models
Known blind spotImplicit-bypass attacks that exfiltrate without a memory recall
Disclosed30 June 2026 (research paper)

Key dates: 30 June 2026 — trajectory-signatures detection paper (arXiv 2606.30566), building on a June 2026 mechanistic study finding most defenses fail against delayed-trigger memory attacks. Related June 2026 work systematizes memory-poisoning write channels (MPBench, arXiv 2606.04329) and cross-session stored prompt injection (arXiv 2606.04425); persistent-control attacks were shown earlier in 2026 (Zombie Agents, arXiv 2602.15654). Model names cited are those reported in the source papers.

Sources