Fetching from the wire…
Security2026-07-10 · source-backed
arXiv 2607.05120 defines a new attack class: instead of hijacking what the agent does, corrupt which resources it acts upon, by injecting probabilistic delimiters that make untrusted data read as trusted metadata (resource IDs, data origin, tool-call history). On agents where instruction injection lands 0.0% to 0.7% of the time, ADI hits 49.1%. Llama Guard 2 input guardrails let 50.0% through. LlamaFirewall output guardrails let 45.4% through. Neither can distinguish a corrupted action from a legitimate one, because the action is legitimate. The resource is wrong.
Each link below shares sources, entities, or timing with this story.
Same source domain / Shared topic / Tension
Reported by the same outlet (arxiv.org); overlapping topics (action, acts, agent); pushes against this story (against).
Reported by the same outlet (arxiv.org); overlapping topics (agent, attack, guardrail); pushes against this story (against).
Reported by the same outlet (arxiv.org); overlapping topics (agent, attack, class); pushes against this story (but).