← Back to Daily Briefing

Adversaries are pivoting from direct prompt injection to indirect injection attacks targeting agentic AI systems by poisoning external data sources. By manipulating Model Context Protocol (MCP) tool definitions and OpenAPI/Swagger specifications, attackers embed malicious instructions within metadata fields such as 'description' or 'parameter'. When an AI agent parses this documentation to resolve tool-calling logic, it interprets the embedded payloads as functional requirements. This enables unauthorized tool execution, facilitating sensitive data exfiltration to attacker-controlled callback URLs, privilege escalation, and fraudulent financial transactions, including cryptocurrency payments. This vulnerability fundamentally compromises the security boundary of AI agents utilizing external tool integration and grounding.

  • Threat Model: Indirect Data Poisoning
    • Transition from direct user-to-model interaction to passive exploitation of external data.
    • Targeting of "grounding" sources and tool-calling metadata within agentic workflows.
    • Exploitation of the inherent trust agents place in structured API specifications and schemas.
  • Attack Mechanics: Schema Manipulation
    • Injection of malicious instructions into Model Context Protocol (MCP) tool definitions.
    • Poisoning of OpenAPI/Swagger documentation via 'description' and 'parameter' fields.
    • Use of manipulated JSON tool schemas to alter agentic decision-making processes.
    • Delivery of indirect injection payloads through web-search results used for agent grounding.
  • Detection & Indicators: Identifying Malicious Metadata
    • Monitoring for anomalous instruction strings within JSON schema 'description' fields.
    • Auditing tool-calling logs for unexpected outbound network requests to unverified domains.
    • Detecting sudden shifts in agent behavior following the ingestion of new documentation or tools.
  • Systemic & Security Impact: Agent Hijacking
    • Unauthorized data exfiltration via automated calls to attacker-controlled callback URLs.
    • Financial loss through the execution of unauthorized cryptocurrency payments.
    • Privilege escalation by leveraging the agent's authorized tool-calling capabilities.
    • Compromise of sensitive user session tokens and API credentials.
  • Countermeasures: AI-Centric Defenses
    • Strict schema validation and sanitization for all external tool and API definitions.
    • Implementation of network egress filtering to block unauthorized callback URLs.
    • Deployment of Human-in-the-loop (HITL) protocols for high-stakes tool execution.
    • Enhanced monitoring of LLM reasoning chains for instructional and logic anomalies.

Related posts

  1. gbhackers.com — Hackers Use Fake API Documentation to Trick AI Agents Into Sending Crypto Payments
  2. vibegraveyard.ai — Prompt injection stopped being theoretical - Unit 42 found AI agents obeying poisoned web pages
  3. vibegraveyard.ai — GeminiJack turned a poisoned document into silent corporate data theft
  4. TechNadu — Model Context Protocol (MCP) Tool Poisoning Hijacks AI Agents to Steal Data
  5. Cybersecurity News — Hackers Abuse SEO Poisoning and Hidden HTML to Trick AI Agents Into Following Malicious Instructions
  6. Bragg
  7. Zscaler

LINK COPIED TO CLIPBOARD