Researchers disclosed MemGhost, a prompt-injection attack that causes AI personal agents to store false information from a single malicious email in persistent memory and later act on it without notifying the user. The technique, described as stealth memory injection in the paper When Claws Remember but Do Not Tell, targeted OpenClaw as the primary case study and showed that agents combining untrusted email ingestion with durable memory writes can be manipulated into retaining attacker-planted facts.
In lab tests cited by The Hacker News, MemGhost succeeded in 87.5% of background-mode runs against OpenClaw on GPT-5.4 and 71.4% against a Claude Code SDK agent on Sonnet 4.6, while bypassing some existing defenses across multiple frameworks and memory backends. OpenClaw's published security guidance and repository security policy provide the project context, but the researchers said the weakness is largely architectural rather than a simple patchable flaw, recommending mitigations such as provenance tracking, explicit confirmation before persistent memory writes, and audit logging.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Researchers disclosed benchmark results showing MemGhost achieved high success rates in lab tests, including 87.5% of background-mode runs against OpenClaw on GPT-5.4, and noted the technique could evade some existing defenses. They characterized the issue as architectural rather than a simple patchable bug and recommended mitigations such as provenance tracking, confirmation before persistent writes, and audit logging.
The paper "When Claws Remember but Do Not Tell" was published on arXiv, describing a stealth memory injection technique that can cause AI agents to store false information from a malicious email into persistent memory. The research used OpenClaw as the primary target and introduced the automated attack generator MemGhost.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
thehackernews.com
Open sourcegithub.com
Open sourcedocs.openclaw.ai
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.