Post

New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email

New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email

New MemGhost Attack: A Game Changer in AI Security 🚀

Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false “fact” about the user, hide the change, and quietly steer its answers in later sessions. When it works, the person reads an ordinary-looking reply and never learns their assistant was tampered with.

The researchers named the attack stealth memory injection and built a tool that writes the emails automatically. The paper, “When Claws Remember but Do Not Tell,” landed on arXiv on July 6, 2026.

How It Works

A personal agent is an AI assistant that sticks around. Instead of forgetting everything when a chat ends, it keeps notes about you in files: your preferences, your contacts, and what you asked it to do. The attacker does not need your password or your account. They send an email to someone whose agent is set up to check their inbox. If the agent’s email skill takes the bait, three things happen in a row:

  • The agent uses its own file tools to write the attacker’s false note into its persistent memory.
  • Its visible reply says nothing about having done so.
  • Later, in a fresh conversation, that false note changes what it tells you or does for you.

In one of the study’s test cases, the planted lie was that the user’s Zelle daily sending limit had been raised to $10,000. To make the poison stick, the tool aims it at the core files that load every session, so a single write is loaded into every later session.

MemGhost in Action

The attack is generated by a tool the researchers call MemGhost. Across 56 fresh test cases, MemGhost pulled off the full attack, planting a false memory, hiding it, then swaying the agent’s answers in a later session. It worked in 87.5% of background-mode runs against OpenClaw on GPT-5.4, and 71.4% against a Claude Code SDK agent on Sonnet 4.6. An input filter built to catch poisoned emails missed MemGhost’s message more than nine times in ten, and a model specially hardened to ignore instructions that arrive by email still followed the planted one about half the time.

Conclusion

MemGhost crosses none of OpenClaw’s security policy boundaries since it works through the agent’s own memory-write tool. The study’s authors argue that the real fix has to live inside the agent: tagging where a piece of information came from, asking the user before anything reaches durable memory, and logging every write. This is a lab result, not a break-in in progress. The researchers ran everything in sealed test environments with fake inboxes and fake users.

To read the complete article see: Read full article

This post is licensed under CC BY 4.0 by the author.