MemoryGraft: Persistent Compromise of LLM Agents via Poisoned Experience Retrieval

TL;DR

MemoryGraft reveals a novel attack on LLM agents that manipulates their long-term memory, causing persistent behavioral changes by implanting malicious experiences that are retrieved during task execution.

Contribution

Introduces MemoryGraft, a new indirect poisoning attack method that compromises LLM agent behavior through long-term memory manipulation, exploiting the semantic imitation heuristic.

Findings

Poisoned experiences significantly influence retrieval outcomes.

Small sets of malicious templates can cause widespread behavioral drift.

MemoryGraft effectively persists across sessions, enabling stealthy attacks.

Abstract

Large Language Model (LLM) agents increasingly rely on long-term memory and Retrieval-Augmented Generation (RAG) to persist experiences and refine future performance. While this experience learning capability enhances agentic autonomy, it introduces a critical, unexplored attack surface, i.e., the trust boundary between an agent's reasoning core and its own past. In this paper, we introduce MemoryGraft. It is a novel indirect injection attack that compromises agent behavior not through immediate jailbreaks, but by implanting malicious successful experiences into the agent's long-term memory. Unlike traditional prompt injections that are transient, or standard RAG poisoning that targets factual knowledge, MemoryGraft exploits the agent's semantic imitation heuristic which is the tendency to replicate patterns from retrieved successful tasks. We demonstrate that an attacker who can supply benign ingestion-level artifacts that the agent reads during execution can induce it to construct a poisoned RAG store where a small set of malicious procedure templates is persisted alongside benign experiences. When the agent later encounters semantically similar tasks, union retrieval over lexical and embedding similarity reliably surfaces these grafted memories, and the agent adopts the embedded unsafe patterns, leading to persistent behavioral drift across sessions. We validate MemoryGraft on MetaGPT's DataInterpreter agent with GPT-4o and find that a small number of poisoned records can account for a large fraction of retrieved experiences on benign workloads, turning experience-based self-improvement into a vector for stealthy and durable compromise. To facilitate reproducibility and future research, our code and evaluation data are available at https://github.com/Jacobhhy/Agent-Memory-Poisoning.