{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2024:WHSYSS7UY2YUZCWI43IT36PRSL","short_pith_number":"pith:WHSYSS7U","schema_version":"1.0","canonical_sha256":"b1e5894bf4c6b14c8ac8e6d13df9f192d5ca01f8956c653a8b7f4df2dcc3929c","source":{"kind":"arxiv","id":"2410.07283","version":1},"attestation_state":"computed","paper":{"title":"Prompt Infection: LLM-to-LLM Prompt Injection within Multi-Agent Systems","license":"http://creativecommons.org/licenses/by-sa/4.0/","headline":"Malicious prompts can self-replicate from one LLM agent to others in multi-agent systems, spreading like a virus.","cross_cats":["cs.AI","cs.CR"],"primary_cat":"cs.MA","authors_text":"Donghyun Lee, Mo Tiwari","submitted_at":"2024-10-09T11:01:29Z","abstract_excerpt":"As Large Language Models (LLMs) grow increasingly powerful, multi-agent systems are becoming more prevalent in modern AI applications. Most safety research, however, has focused on vulnerabilities in single-agent LLMs. These include prompt injection attacks, where malicious prompts embedded in external content trick the LLM into executing unintended or harmful actions, compromising the victim's application. In this paper, we reveal a more dangerous vector: LLM-to-LLM prompt injection within multi-agent systems. We introduce Prompt Infection, a novel attack where malicious prompts self-replicat"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":true,"formal_links_present":true},"canonical_record":{"source":{"id":"2410.07283","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by-sa/4.0/","primary_cat":"cs.MA","submitted_at":"2024-10-09T11:01:29Z","cross_cats_sorted":["cs.AI","cs.CR"],"title_canon_sha256":"9396357490d2530e8840baddc4e7cee0c7e195427cb9b5e393ff922fd715d568","abstract_canon_sha256":"150d92e4c44659a988d553976dfb33b5a2b99eea00fd107f3acde2dc4536d928"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:38:50.417757Z","signature_b64":"hUfG61ZqPveTOYDxgKwIk5cPbh+RF66xZ1PJ5xRlmP3GqX/I1hVfGELei9+uxIeCFXzd4hE3YLkgddNr5CiGAw==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"b1e5894bf4c6b14c8ac8e6d13df9f192d5ca01f8956c653a8b7f4df2dcc3929c","last_reissued_at":"2026-05-17T23:38:50.417208Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:38:50.417208Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"Prompt Infection: LLM-to-LLM Prompt Injection within Multi-Agent Systems","license":"http://creativecommons.org/licenses/by-sa/4.0/","headline":"Malicious prompts can self-replicate from one LLM agent to others in multi-agent systems, spreading like a virus.","cross_cats":["cs.AI","cs.CR"],"primary_cat":"cs.MA","authors_text":"Donghyun Lee, Mo Tiwari","submitted_at":"2024-10-09T11:01:29Z","abstract_excerpt":"As Large Language Models (LLMs) grow increasingly powerful, multi-agent systems are becoming more prevalent in modern AI applications. Most safety research, however, has focused on vulnerabilities in single-agent LLMs. These include prompt injection attacks, where malicious prompts embedded in external content trick the LLM into executing unintended or harmful actions, compromising the victim's application. In this paper, we reveal a more dangerous vector: LLM-to-LLM prompt injection within multi-agent systems. We introduce Prompt Infection, a novel attack where malicious prompts self-replicat"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"We introduce Prompt Infection, a novel attack where malicious prompts self-replicate across interconnected agents, behaving much like a computer virus. This attack poses severe threats, including data theft, scams, misinformation, and system-wide disruption, all while propagating silently through the system.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That LLM agents will reliably execute and propagate the injected malicious prompts when received from other agents, without built-in refusal mechanisms or sufficient context to detect the infection, even in partially shared communication setups.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Prompt injection attacks can self-replicate across LLM agents in multi-agent systems, enabling data theft, misinformation, and system disruption while propagating silently.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Malicious prompts can self-replicate from one LLM agent to others in multi-agent systems, spreading like a virus.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"e29b99e34a0e9ac14a24a72c0e70f0ffea41a43b1621738a548a362f4d863b43"},"source":{"id":"2410.07283","kind":"arxiv","version":1},"verdict":{"id":"7c88c537-2a4a-4500-bd4b-93bcc8065a7f","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T19:28:47.471286Z","strongest_claim":"We introduce Prompt Infection, a novel attack where malicious prompts self-replicate across interconnected agents, behaving much like a computer virus. This attack poses severe threats, including data theft, scams, misinformation, and system-wide disruption, all while propagating silently through the system.","one_line_summary":"Prompt injection attacks can self-replicate across LLM agents in multi-agent systems, enabling data theft, misinformation, and system disruption while propagating silently.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That LLM agents will reliably execute and propagate the injected malicious prompts when received from other agents, without built-in refusal mechanisms or sufficient context to detect the infection, even in partially shared communication setups.","pith_extraction_headline":"Malicious prompts can self-replicate from one LLM agent to others in multi-agent systems, spreading like a virus."},"references":{"count":101,"sample":[{"doi":"10.48550/arxiv.2401.11880","year":null,"title":"Psysafe: A comprehensive framework for psychological-based attack, defense, and evaluation of multi-agent system safety","work_id":"98f21910-5310-4acc-97ce-abf35e13d48a","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Tian, Yu and Yang, Xiao and Zhang, Jingyuan and Dong, Yinpeng and Su, Hang , month = feb, year =. Evil","work_id":"a1135af1-22cc-4fdb-a161-ddbdcfb6b508","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Not what you've signed up for:","work_id":"b79f4aea-f1f1-43b2-b63c-afb3e90d086f","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":", month = sep, year =","work_id":"ebede130-3d98-4e5d-8df8-f72ccd3998fc","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"10.48550/arxiv.2402.06363","year":null,"title":"StruQ: Defending Against Prompt Injection with Structured Queries","work_id":"5e57b942-26b0-4859-8393-c0fa2c2ad65b","ref_index":6,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":101,"snapshot_sha256":"6237fbb14998b79834fe5a8a4920a1e5f8ff33eab11f8761e42f354212a3e759","internal_anchors":26},"formal_canon":{"evidence_count":2,"snapshot_sha256":"58167cf2ddd27de74765f77ccae0ba48c3a08e2896536b897cd6ab93b497aab5"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"2410.07283","created_at":"2026-05-17T23:38:50.417293+00:00"},{"alias_kind":"arxiv_version","alias_value":"2410.07283v1","created_at":"2026-05-17T23:38:50.417293+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2410.07283","created_at":"2026-05-17T23:38:50.417293+00:00"},{"alias_kind":"pith_short_12","alias_value":"WHSYSS7UY2YU","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_16","alias_value":"WHSYSS7UY2YUZCWI","created_at":"2026-05-18T12:33:37.589309+00:00"},{"alias_kind":"pith_short_8","alias_value":"WHSYSS7U","created_at":"2026-05-18T12:33:37.589309+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":26,"internal_anchor_count":26,"sample":[{"citing_arxiv_id":"2503.21460","citing_title":"Large Language Model Agent: A Survey on Methodology, Applications and Challenges","ref_index":221,"is_internal_anchor":true},{"citing_arxiv_id":"2605.06933","citing_title":"MAGIQ: A Post-Quantum Multi-Agentic AI Governance System with Provable Security","ref_index":38,"is_internal_anchor":true},{"citing_arxiv_id":"2605.19159","citing_title":"On the Geometric Limits of Transformer Defenses against Obfuscation Attacks: Latent Embedding Collapse & Performance Robustness Gap","ref_index":10,"is_internal_anchor":true},{"citing_arxiv_id":"2506.02546","citing_title":"To trust or not to trust: Attention-based Trust Management for LLM Multi-Agent Systems","ref_index":12,"is_internal_anchor":true},{"citing_arxiv_id":"2510.12826","citing_title":"Scheming Ability in LLM-to-LLM Strategic Interactions","ref_index":34,"is_internal_anchor":true},{"citing_arxiv_id":"2510.14133","citing_title":"Formalizing the Safety, Security, and Functional Properties of Agentic AI Systems","ref_index":14,"is_internal_anchor":true},{"citing_arxiv_id":"2510.23883","citing_title":"Agentic AI Security: Threats, Defenses, Evaluation, and Open Challenges","ref_index":38,"is_internal_anchor":true},{"citing_arxiv_id":"2504.19793","citing_title":"Prompt Injection Attack to Tool Selection in LLM Agents","ref_index":67,"is_internal_anchor":true},{"citing_arxiv_id":"2603.28013","citing_title":"Kill-Chain Canaries: Stage-Level Tracking of Prompt Injection Across Attack Surfaces and Model Safety Tiers","ref_index":6,"is_internal_anchor":true},{"citing_arxiv_id":"2604.02837","citing_title":"Towards Secure Agent Skills: Architecture, Threat Taxonomy, and Security Analysis","ref_index":30,"is_internal_anchor":true},{"citing_arxiv_id":"2605.12364","citing_title":"Attacks and Mitigations for Distributed Governance of Agentic AI under Byzantine Adversaries","ref_index":35,"is_internal_anchor":true},{"citing_arxiv_id":"2605.11514","citing_title":"FlowSteer: Prompt-Only Workflow Steering Exposes Planning-Time Vulnerabilities in Multi-Agent LLM Systems","ref_index":31,"is_internal_anchor":true},{"citing_arxiv_id":"2605.11039","citing_title":"The Granularity Mismatch in Agent Security: Argument-Level Provenance Solves Enforcement and Isolates the LLM Reasoning Bottleneck","ref_index":12,"is_internal_anchor":true},{"citing_arxiv_id":"2605.08268","citing_title":"Insider Attacks in Multi-Agent LLM Consensus Systems","ref_index":51,"is_internal_anchor":true},{"citing_arxiv_id":"2605.08460","citing_title":"When Child Inherits: Modeling and Exploiting Subagent Spawn in Multi-Agent Networks","ref_index":48,"is_internal_anchor":true},{"citing_arxiv_id":"2605.10481","citing_title":"Safe Multi-Agent Behavior Must Be Maintained, Not Merely Asserted: Constraint Drift in LLM-Based Multi-Agent Systems","ref_index":21,"is_internal_anchor":true},{"citing_arxiv_id":"2605.09278","citing_title":"EquiMem: Calibrating Shared Memory in Multi-Agent Debate via Game-Theoretic Equilibrium","ref_index":31,"is_internal_anchor":true},{"citing_arxiv_id":"2605.03378","citing_title":"ARGUS: Defending LLM Agents Against Context-Aware Prompt Injection","ref_index":125,"is_internal_anchor":true},{"citing_arxiv_id":"2605.01133","citing_title":"When Embedding-Based Defenses Fail: Rethinking Safety in LLM-Based Multi-Agent Systems","ref_index":18,"is_internal_anchor":true},{"citing_arxiv_id":"2605.01143","citing_title":"A Low-Latency Fraud Detection Layer for Detecting Adversarial Interaction Patterns in LLM-Powered Agents","ref_index":28,"is_internal_anchor":true},{"citing_arxiv_id":"2605.06933","citing_title":"MAGIQ: A Post-Quantum Multi-Agentic AI Governance System with Provable Security","ref_index":38,"is_internal_anchor":true},{"citing_arxiv_id":"2605.07110","citing_title":"Securing Computer-Use Agents: A Unified Architecture-Lifecycle Framework for Deployment-Grounded Reliability","ref_index":179,"is_internal_anchor":true},{"citing_arxiv_id":"2604.04522","citing_title":"HDP: A Lightweight Cryptographic Protocol for Human Delegation Provenance in Agentic AI Systems","ref_index":5,"is_internal_anchor":true},{"citing_arxiv_id":"2604.15367","citing_title":"SoK: Security of Autonomous LLM Agents in Agentic Commerce","ref_index":119,"is_internal_anchor":true},{"citing_arxiv_id":"2604.17125","citing_title":"CASCADE: A Cascaded Hybrid Defense Architecture for Prompt Injection Detection in MCP-Based Systems","ref_index":12,"is_internal_anchor":true}]},"formal_canon":{"evidence_count":2,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/WHSYSS7UY2YUZCWI43IT36PRSL","json":"https://pith.science/pith/WHSYSS7UY2YUZCWI43IT36PRSL.json","graph_json":"https://pith.science/api/pith-number/WHSYSS7UY2YUZCWI43IT36PRSL/graph.json","events_json":"https://pith.science/api/pith-number/WHSYSS7UY2YUZCWI43IT36PRSL/events.json","paper":"https://pith.science/paper/WHSYSS7U"},"agent_actions":{"view_html":"https://pith.science/pith/WHSYSS7UY2YUZCWI43IT36PRSL","download_json":"https://pith.science/pith/WHSYSS7UY2YUZCWI43IT36PRSL.json","view_paper":"https://pith.science/paper/WHSYSS7U","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=2410.07283&json=true","fetch_graph":"https://pith.science/api/pith-number/WHSYSS7UY2YUZCWI43IT36PRSL/graph.json","fetch_events":"https://pith.science/api/pith-number/WHSYSS7UY2YUZCWI43IT36PRSL/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/WHSYSS7UY2YUZCWI43IT36PRSL/action/timestamp_anchor","attest_storage":"https://pith.science/pith/WHSYSS7UY2YUZCWI43IT36PRSL/action/storage_attestation","attest_author":"https://pith.science/pith/WHSYSS7UY2YUZCWI43IT36PRSL/action/author_attestation","sign_citation":"https://pith.science/pith/WHSYSS7UY2YUZCWI43IT36PRSL/action/citation_signature","submit_replication":"https://pith.science/pith/WHSYSS7UY2YUZCWI43IT36PRSL/action/replication_record"}},"created_at":"2026-05-17T23:38:50.417293+00:00","updated_at":"2026-05-17T23:38:50.417293+00:00"}