TL;DR
ShadowMerge introduces a novel poisoning attack on graph-based agent memory by exploiting relation-channel conflicts, achieving high success rates without affecting unrelated tasks.
Contribution
The paper presents SHADOWMERGE, a new poisoning method that overcomes limitations of prior attacks by targeting relation-channel conflicts in graph memory systems.
Findings
Achieves 93.8% attack success rate on multiple datasets.
Outperforms existing baseline attacks by 50.3 points.
Remains effective despite common input-side defenses.
Abstract
Graph-based agent memory is increasingly used in LLM agents to support structured long-term recall and multi-hop reasoning, but it also creates a new poisoning surface: an attacker can inject a crafted relation into graph memory so that it is later retrieved and influences agent behavior. Existing agent-memory poisoning attacks mainly target flat textual records and are ineffective in graph-based memory because malicious relations often fail to be extracted, merged into the target anchor neighborhood, or retrieved for the victim query. We present SHADOWMERGE, a poisoning attack against graph-based agent memory that exploits relation-channel conflicts. Its key insight is that a poisoned relation can share the same query-activated anchor and canonicalized relation channel as benign evidence while carrying a conflicting value. To realize this, we design AIR, a pipeline that converts the…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
