A new study by Anthropic, in collaboration with the UK AISI's Safeguards team and The Alan Turing Institute, has revealed that poisoning attacks against large language models (LLMs) are significantly easier than previously believed. Researchers demonstrated that injecting as few as 250 malicious documents into the pretraining data of LLMs, regardless of their size, can successfully backdoor models ranging from 600 million to 13 billion parameters. This finding challenges the prior assumption that larger models require proportionally more poisoned data, raising concerns about the scalability and accessibility of AI poisoning attacks. The study warns that users should exercise caution when trusting outputs from generative AI tools, as poisoned models can be manipulated to provide malicious links or embed backdoors in generated code.
Separately, Palo Alto Networks’ Unit 42 has demonstrated the risks of prompt injection attacks in multi-agent AI systems using the Agent2Agent (A2A) protocol. In their proof-of-concept, a malicious research assistant agent was able to manipulate a financial assistant agent into disclosing sensitive information and performing unauthorized actions, such as buying stock, through multi-stage prompt injections. The A2A protocol enables stateful communication between autonomous agents, which can be exploited by adversaries to inject harmful instructions over multiple interactions. These findings highlight the growing attack surface in AI-driven environments, emphasizing the need for robust safeguards and user vigilance when deploying and interacting with autonomous AI agents.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Researchers reported several ChatGPT flaws that could let attackers trick the AI into leaking data, hijack memory, and create covert data-exposure risks. Multiple outlets described the same underlying vulnerability findings as a single disclosure event.
Researchers showed that prompt injection can affect Agent2Agent interactions, illustrating how one AI agent could be manipulated to influence another in multi-agent workflows.
A report described AI poisoning attacks as easier to carry out than previously believed, indicating that manipulating training data may be a more practical threat than earlier assumptions suggested.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcehackread.com
Open sourcethehackernews.com
Open sourceblog.knowbe4.com
Open sourcescworld.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.