Your AI Agent Remembers a Lie It Was Told 3 Months Ago. Researchers Found a 50% Attack Success Rate.
Prompt injection was a session-scoped nuisance. Sleeper memory poisoning makes it permanent. Three independent research teams have now demonstrated that AI agents with long-term memory can be corrupted by a single interaction and stay corrupted across every future session until someone manually scrubs the damage.
The Number
Fifty percent. That is the attack success rate that Google's Gemini-3-Flash achieved when researchers at the University of Virginia planted malicious instructions in an AI agent's long-term memory and waited for a perfectly ordinary user request to trigger them, according to a paper published May 27 on arXiv. Not fifty percent on a contrived benchmark. Fifty percent across three distinct attack strategies, including scenarios where the agent had never been successfully attacked within a single conversation. The adversarial content sat dormant in the agent's memory for multiple sessions, invisible to the user, activated by nothing more exotic than asking the agent to do its job.
Every agent they tested cleared 27%.
The Shift from Transient to Permanent
For three years, prompt injection has been treated as an acute condition: someone tricks your AI into doing something bad right now, in this session, and you restart and the damage is gone. It is the buffer overflow of the AI era, dangerous but bounded by the length of a conversation, and the entire defense playbook reflects this assumption by directing engineers to filter malicious inputs, sandbox tool access, and constrain the blast radius to the current session.
That playbook is now obsolete for any agent with persistent memory, which in 2026 means virtually all of them. OpenAI added long-term memory to ChatGPT in April 2024, Google followed for Gemini, and every serious agent framework from LangChain to Semantic Kernel now supports some form of cross-session state because the platforms competed on who could remember more about you and nobody stopped to ask what happens when an attacker slips something into the memory that was supposed to make the agent more helpful. What happens, it turns out, is a rootkit.
Three Teams, Same Conclusion
The convergence is what makes this hard to dismiss. Three independent research groups, working on different continents with different methodologies, arrived at the same structural finding within months of each other.
Team 1: The UVA Taxonomy. The arXiv:2605.28201 paper from the University of Virginia formalizes what they call "Sleeper Attack," drawing an explicit distinction from single-interaction prompt injection. Their taxonomy operates on two axes: the first describes how adversarial content triggers harmful behavior, either by planting instructions that later induce unsafe actions (Latent Instruction Planting) or by corrupting stored information so the agent later produces incorrect outputs (Persistent Information Corruption), while the second axis specifies where the content hides, whether in session state, long-term memory, or the agent's skill definitions. Their benchmark tests every combination, and the results are unambiguous: Gemini-3-Flash exceeded 50% attack success rate across three strategies, while all evaluated agents reached at least 27% on Persistent Information Corruption, even models that proved resistant to conventional single-turn injection. The paper is careful to note this represents the first unified external-source threat model for cross-interaction LLM agent attacks.
Team 2: The Memory Graft. A separate team published MemoryGraft, taking a more surgical approach: instead of planting instructions, they poisoned the agent's experience memory, the records that retrieval-augmented systems consult when deciding how to handle a new task. The attack vector is banal, just documentation, where an attacker slips malicious "successful experiences" into material the agent might ingest during normal operation. Because retrieval systems weight recent successful examples heavily, a small number of poisoned records accounts for a disproportionately large fraction of what the agent retrieves when it encounters a matching query, and the behavioral drift that results is both subtle and specific: the agent starts skipping validation steps, reusing stale results, and executing risky automation, not because it was told to, but because it remembers doing so successfully before, and the memory of success was fabricated.
Team 3: The Unit 42 Proof of Concept. Palo Alto Networks' Unit 42 went further by demonstrating a complete attack chain against a production system, targeting Amazon Bedrock Agent with memory enabled. The method works by tricking a user into visiting a webpage whose content manipulates the agent's session summarization process, causing the malicious instructions to survive summarization, get written into long-term memory, and become incorporated into the agent's orchestration prompts in every subsequent session. The payload they demonstrated was silent exfiltration of the user's entire conversation history, and Unit 42 confirmed in March 2026 that indirect prompt injection via web content has moved from proof-of-concept to in-the-wild observation, meaning this is no longer a theoretical concern.
Why Memory Makes Everything Worse
Traditional prompt injection has a natural circuit breaker: the context window. Even a successful attack dies when the session ends, because the malicious content has no mechanism to survive the boundary between conversations, but memory removes that circuit breaker entirely. Once adversarial content enters the agent's persistent store, it participates in every future interaction as though it were the agent's own learned knowledge, unflagged and unquarantined, retrieved by the same similarity-search mechanisms that retrieve the user's actual preferences and the agent's legitimate experiences.
This is not a theoretical extrapolation. PersistBench, a benchmark published in February 2026 by Prem Sidharth Pulipaka and colleagues, measured the actual failure rates across 18 frontier and open-source LLMs, and the results are dismal. The median failure rate on cross-domain leakage, where the model inappropriately injects context from stored memories into unrelated conversations, was 53%. On memory-induced sycophancy, where stored memories reinforce user biases in ways the user never intended, the failure rate was 97%. These are not adversarial attacks; this is the model's default behavior with perfectly legitimate memories, which means adversarial content compounds a problem that already exists at baseline.
Add adversarial content and the problem compounds. The September 2024 ChatGPT "spAIware" disclosure demonstrated that persistent injection via long-term memory survives across sessions, device changes, and account restarts because the memory is stored server-side. A separate analysis documented calendar invite poisoning achieving a 73% success rate across 14 tested scenarios, rated high-critical severity.
The Defense Gap
Defenses exist, but none of them work across the full attack surface.
SuperLocalMemory, published in March 2026, proposes a Bayesian trust model where each agent's write operations are weighted by accumulated trust, with negative signals carrying larger magnitude than positive ones so that trust is harder to gain than to lose. In their evaluation, a sleeper agent that writes normally for N operations before injecting contradictory content experiences 72% trust degradation, and the architecture also tracks provenance across four fields: who wrote each memory, through which protocol, at what trust level, and the full modification history. This catches contradictory writes effectively, but it does not catch Latent Instruction Planting, because a planted instruction is not contradictory at all: it is semantically valid, and it simply does something harmful when triggered by a benign query the attacker cannot predict in advance but whose general shape they can anticipate.
MemoryGraft proposes a risk penalty function that flags suspicious patterns like skip_validation in retrieved memories, which works against known attack signatures but fails against novel ones, and that is the fundamental problem with every pattern-matching defense against a natural-language attack surface. PersistBench measures the failure modes but does not propose mitigations; the UVA paper documents the attack taxonomy but explicitly leaves defense to future work.
The honest summary: the research community can now precisely describe how to permanently corrupt an AI agent's memory, and cannot yet precisely describe how to prevent it.
The Rootkit Analogy (and Why It Is Not Hyperbole)
In traditional information security, the community spent roughly fifteen years transitioning its focus from injection attacks (SQL injection, cross-site scripting, buffer overflows) to persistence mechanisms (rootkits, bootkits, firmware implants), because injection gets you in the door but persistence lets you stay. The behavioral economics of defense funding followed the same trajectory: buffer overflows got the DARPA grants in 2000, rootkit detection got them in 2010.
AI security is traversing the same arc in months instead of years, because the attack surface is simpler and the persistence mechanism is architecturally built in. An agent's memory is not a fortified system that an attacker must subvert; it is a text file that the agent is designed to trust absolutely, so the rootkit does not need to hide from an antivirus scanner, it just needs to look like a memory.
What to Do About It
For users running agents with persistent memory right now, the options are uncomfortable but concrete. First, audit what your agent remembers: ChatGPT exposes this under Settings > Personalization > Manage Memory, Gemini shows it in the Saved Info panel, and if you see instructions or "facts" you do not recognize, delete them immediately. Second, consider disabling persistent memory entirely for agents that handle sensitive operations like financial tools, code deployment, or anything with write access to production systems, because the convenience cost is real but the security cost of not doing it is now documented in peer-reviewed research. Third, if you are building an agent framework, implement provenance tracking now by ensuring every memory records its source, its write timestamp, and the trust level of the entity that created it, using SuperLocalMemory's four-field provenance model (created_by, source_protocol, trust_score, provenance_chain) as a reasonable starting template. Fourth, treat memory writes from external content like web pages, emails, and documents with the same suspicion you would treat an executable attachment in 2005: sandbox them, require human confirmation, and log them separately from user-initiated writes.
Limitations
This analysis synthesizes findings from papers that tested different models, different frameworks, and different attack scenarios. The 50% ASR from the UVA paper applies specifically to Gemini-3-Flash under their particular benchmark conditions; other models and real-world deployments may yield different rates. PersistBench's 53% and 97% failure rates measure default model behavior with legitimate memories, not adversarial attacks, and the paper is under review. Unit 42's demonstration used Amazon Bedrock Agent, a single platform with specific memory architecture; their results may not generalize to all agent frameworks. The ChatGPT spAIware disclosure is from September 2024 and OpenAI may have mitigated the specific vector since then. None of the defense papers cited here have been tested at production scale with adversarial red-teaming.
The Strongest Counterargument
The strongest case against alarm is that these attack success rates were measured in research settings where the attacker controls the content the agent ingests. In practice, users do not randomly visit pages designed to poison their agent's memory, and most legitimate web browsing does not trigger memory writes. The attack requires the agent to both ingest the malicious content and decide it is worth remembering, which introduces a natural probabilistic filter that research benchmarks do not capture. Microsoft's Semantic Kernel disclosure (CVE-2026-25592, CVE-2026-26030, since patched) showed that real-world exploitation requires a specific confluence of agent configuration, tool access, and user behavior that narrows the practical attack surface below what benchmarks suggest. It is possible, in other words, that the research is describing a genuine worst case that production deployments will rarely encounter. The counterargument to the counterargument: the September 2024 ChatGPT spAIware exploit and the calendar invite poisoning both worked against production systems with real users, not research benchmarks. And the entire point of sleeper attacks is that they are difficult to detect precisely because the triggering event is benign.
The Bottom Line
The AI industry spent 2024 and 2025 building persistent memory into every agent because users wanted continuity, personalization, and the feeling that their assistant actually knows them, and that instinct was right but the implementation was reckless. Three independent research teams have now documented, with reproducible benchmarks, that the same memory pipeline designed to help your agent remember your preferences can be weaponized to make it remember instructions you never gave it, planted by an attacker you never interacted with, triggered by a request you make next Tuesday that has nothing to do with the attack. The security community has a name for a threat that persists across reboots, hides from detection, and executes when triggered by normal system activity: rootkit. The difference is that traditional rootkits target operating systems with decades of hardened defense infrastructure, while AI memory poisoning targets text files that the agent was designed, from the ground up, to trust.