In the poison stage, the attacker’s goal is to place malicious inputs into locations where they will ultimately be processed by the AI model. Two primary techniques dominate: Direct prompt injection: The attacker is the user, and provides inputs via normal user interactions. Impact is typically scoped to the attacker’s session but is useful for probing behaviors. Indirect prompt injection: The attacker poisons data that the application ingests on behalf of other users (e.g., RAG databases, shared documents). This is where impact scales. Text-based prompt infection is the most common technique
Modeling Attacks on AI-Powered Apps with the AI Kill Chain Framework | NVIDIA Technical BlogThis attack path highlights important considerations for the future of agent-assisted development. Extended supply chain risk: Traditional supply chain attacks focus on injecting malicious code directly. In agentic environments, a compromised dependency can also redirect the agent itself, extending familiar supply chain risks into a new dimension, such as injecting subtle delays that cause performance degradation or denial-of-service scenarios. Instruction following under adversarial conditions: When the agent followed injected configuration directives, including instructions to conceal its
Mitigating Indirect AGENTS.md Injection Attacks in Agentic Environments | NVIDIA Technical BlogPersistence allows attackers to turn a single hijack into ongoing control. By embedding malicious payloads into persistent storage, attackers ensure their influence survives within and across user sessions. Persistence paths depend on the application’s design: Session history persistence: In many apps, injected prompts remain active within the live session. Cross-session memory: In systems with user-specific memories, attackers can embed payloads that survive across sessions. Shared resource poisoning: Attackers target shared databases (e.g., RAG sources, knowledge bases) to impact multiple
Modeling Attacks on AI-Powered Apps with the AI Kill Chain Framework | NVIDIA Technical Blog… Indirect prompt injection as a supply chain vector: The agent’s summarization model was also susceptible to indirect prompt injection through code comments, illustrating how these techniques can chain together across agentic workflows. …
… The AI Kill Chain provides a clear, actionable way to break down how these attacks unfold—stage by stage. It helps teams move beyond generalized “prompt injection” concerns to see where, how, and why attackers can escalate their control. …
… Based on the NVIDIA AI Red Team ’s experience, the following mandatory controls mitigate the most serious attacks that can be achieved with indirect prompt injection: Network egress controls: Blocking network access to arbitrary sites prevents exfiltration of data or establishing a remote shell wit… …
… In the following examples, we test against this general inference setup where the model is initialized, a processor is defined to handle input formatting, and a fixed system prompt is defined: model id = "google/paligemma2-3b-mix-224" model = PaliGemmaForConditionalGeneration.from pretrained model … …
… Safety and Security Use NeMo Agent Toolkit safety and security middleware features to Red Team agentic workflows and find points of exploitability and vulnerabilities like prompt injection, jail break, tool poisoning, and other custom attacks. …
… An agent with persistent shell access, live credentials, the ability to rewrite its own tooling, and six hours of accumulated context running against your internal APIs is a fundamentally different threat model. Every prompt injection is a potential credential leak. …