{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2024:WHSYSS7UY2YUZCWI43IT36PRSL","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"150d92e4c44659a988d553976dfb33b5a2b99eea00fd107f3acde2dc4536d928","cross_cats_sorted":["cs.AI","cs.CR"],"license":"http://creativecommons.org/licenses/by-sa/4.0/","primary_cat":"cs.MA","submitted_at":"2024-10-09T11:01:29Z","title_canon_sha256":"9396357490d2530e8840baddc4e7cee0c7e195427cb9b5e393ff922fd715d568"},"schema_version":"1.0","source":{"id":"2410.07283","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2410.07283","created_at":"2026-05-17T23:38:50Z"},{"alias_kind":"arxiv_version","alias_value":"2410.07283v1","created_at":"2026-05-17T23:38:50Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2410.07283","created_at":"2026-05-17T23:38:50Z"},{"alias_kind":"pith_short_12","alias_value":"WHSYSS7UY2YU","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"WHSYSS7UY2YUZCWI","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"WHSYSS7U","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:b6819d8fcfba4adc92e8494b16d4ec6538ff87e4bf5cb77763f27516b66feecb","target":"graph","created_at":"2026-05-17T23:38:50Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"We introduce Prompt Infection, a novel attack where malicious prompts self-replicate across interconnected agents, behaving much like a computer virus. This attack poses severe threats, including data theft, scams, misinformation, and system-wide disruption, all while propagating silently through the system."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"That LLM agents will reliably execute and propagate the injected malicious prompts when received from other agents, without built-in refusal mechanisms or sufficient context to detect the infection, even in partially shared communication setups."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"Prompt injection attacks can self-replicate across LLM agents in multi-agent systems, enabling data theft, misinformation, and system disruption while propagating silently."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"Malicious prompts can self-replicate from one LLM agent to others in multi-agent systems, spreading like a virus."}],"snapshot_sha256":"e29b99e34a0e9ac14a24a72c0e70f0ffea41a43b1621738a548a362f4d863b43"},"formal_canon":{"evidence_count":2,"snapshot_sha256":"58167cf2ddd27de74765f77ccae0ba48c3a08e2896536b897cd6ab93b497aab5"},"paper":{"abstract_excerpt":"As Large Language Models (LLMs) grow increasingly powerful, multi-agent systems are becoming more prevalent in modern AI applications. Most safety research, however, has focused on vulnerabilities in single-agent LLMs. These include prompt injection attacks, where malicious prompts embedded in external content trick the LLM into executing unintended or harmful actions, compromising the victim's application. In this paper, we reveal a more dangerous vector: LLM-to-LLM prompt injection within multi-agent systems. We introduce Prompt Infection, a novel attack where malicious prompts self-replicat","authors_text":"Donghyun Lee, Mo Tiwari","cross_cats":["cs.AI","cs.CR"],"headline":"Malicious prompts can self-replicate from one LLM agent to others in multi-agent systems, spreading like a virus.","license":"http://creativecommons.org/licenses/by-sa/4.0/","primary_cat":"cs.MA","submitted_at":"2024-10-09T11:01:29Z","title":"Prompt Infection: LLM-to-LLM Prompt Injection within Multi-Agent Systems"},"references":{"count":101,"internal_anchors":26,"resolved_work":101,"sample":[{"cited_arxiv_id":"","doi":"10.48550/arxiv.2401.11880","is_internal_anchor":false,"ref_index":1,"title":"Psysafe: A comprehensive framework for psychological-based attack, defense, and evaluation of multi-agent system safety","work_id":"98f21910-5310-4acc-97ce-abf35e13d48a","year":null},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":3,"title":"Tian, Yu and Yang, Xiao and Zhang, Jingyuan and Dong, Yinpeng and Su, Hang , month = feb, year =. Evil","work_id":"a1135af1-22cc-4fdb-a161-ddbdcfb6b508","year":null},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":4,"title":"Not what you've signed up for:","work_id":"b79f4aea-f1f1-43b2-b63c-afb3e90d086f","year":null},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":5,"title":", month = sep, year =","work_id":"ebede130-3d98-4e5d-8df8-f72ccd3998fc","year":null},{"cited_arxiv_id":"","doi":"10.48550/arxiv.2402.06363","is_internal_anchor":false,"ref_index":6,"title":"StruQ: Defending Against Prompt Injection with Structured Queries","work_id":"5e57b942-26b0-4859-8393-c0fa2c2ad65b","year":null}],"snapshot_sha256":"6237fbb14998b79834fe5a8a4920a1e5f8ff33eab11f8761e42f354212a3e759"},"source":{"id":"2410.07283","kind":"arxiv","version":1},"verdict":{"created_at":"2026-05-15T19:28:47.471286Z","id":"7c88c537-2a4a-4500-bd4b-93bcc8065a7f","model_set":{"reader":"grok-4.3"},"one_line_summary":"Prompt injection attacks can self-replicate across LLM agents in multi-agent systems, enabling data theft, misinformation, and system disruption while propagating silently.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"Malicious prompts can self-replicate from one LLM agent to others in multi-agent systems, spreading like a virus.","strongest_claim":"We introduce Prompt Infection, a novel attack where malicious prompts self-replicate across interconnected agents, behaving much like a computer virus. This attack poses severe threats, including data theft, scams, misinformation, and system-wide disruption, all while propagating silently through the system.","weakest_assumption":"That LLM agents will reliably execute and propagate the injected malicious prompts when received from other agents, without built-in refusal mechanisms or sufficient context to detect the infection, even in partially shared communication setups."}},"verdict_id":"7c88c537-2a4a-4500-bd4b-93bcc8065a7f"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:ca81bf2f3fb9ee8884cd9ea2db436d3fde0872704fd2cce39b7c83fa6986ca91","target":"record","created_at":"2026-05-17T23:38:50Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"150d92e4c44659a988d553976dfb33b5a2b99eea00fd107f3acde2dc4536d928","cross_cats_sorted":["cs.AI","cs.CR"],"license":"http://creativecommons.org/licenses/by-sa/4.0/","primary_cat":"cs.MA","submitted_at":"2024-10-09T11:01:29Z","title_canon_sha256":"9396357490d2530e8840baddc4e7cee0c7e195427cb9b5e393ff922fd715d568"},"schema_version":"1.0","source":{"id":"2410.07283","kind":"arxiv","version":1}},"canonical_sha256":"b1e5894bf4c6b14c8ac8e6d13df9f192d5ca01f8956c653a8b7f4df2dcc3929c","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"b1e5894bf4c6b14c8ac8e6d13df9f192d5ca01f8956c653a8b7f4df2dcc3929c","first_computed_at":"2026-05-17T23:38:50.417208Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-17T23:38:50.417208Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"hUfG61ZqPveTOYDxgKwIk5cPbh+RF66xZ1PJ5xRlmP3GqX/I1hVfGELei9+uxIeCFXzd4hE3YLkgddNr5CiGAw==","signature_status":"signed_v1","signed_at":"2026-05-17T23:38:50.417757Z","signed_message":"canonical_sha256_bytes"},"source_id":"2410.07283","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:ca81bf2f3fb9ee8884cd9ea2db436d3fde0872704fd2cce39b7c83fa6986ca91","sha256:b6819d8fcfba4adc92e8494b16d4ec6538ff87e4bf5cb77763f27516b66feecb"],"state_sha256":"1fdef2ecacef265703ae5f28f06f0c769a86d218ef037b21ac70cd235a200554"}