A new class of cyberattack called Agent Data Injection (ADI) allows adversaries to manipulate AI agents by corrupting the factual context they rely on rather than hijacking direct instructions. Unlike traditional prompt injection, which embeds malicious commands, ADI exploits the way Large Language Models (LLMs) interpret data structures like sender names, button IDs, and tool logs. By inserting "probabilistic delimiters" such as fake quotes or brackets, attackers can trick an agent into perceiving fabricated metadata as legitimate system-level information.
Source