# poisoning

agentic-exploitationagent-memoryconversationalpoisoning

Conversational Memory Poisoning

Poisoning conversation history stores to alter the agent's understanding of prior interactions.

agentic-exploitationagent-memoryretrievalpoisoning

Memory Retrieval Poisoning

Manipulating memory retrieval mechanisms to surface adversarial context during agent reasoning.

exploitationmemoryvectoragenticpoisoning

Vector-Based Memory Poisoning

Poisoning vector-based memory stores in agent systems to inject false context into retrieval.

agentic-exploitationagent-memoryshared-memorypoisoning

Shared Memory Space Poisoning

Poison memory spaces shared between multiple agents or users in multi-tenant agent deployments.

function-callingcontext-injectionpoisoning

Function Calling Context Injection

Injecting adversarial content through function call results that influences subsequent model reasoning.

agentic-exploitationfunction-callingresultpoisoning

Function Result Poisoning

Poisoning function call results to inject instructions back into the model's reasoning chain.

MCP Schema Poisoning Attacks

Exploiting MCP tool schema definitions to inject malicious parameters and override expected behavior.

mcpschemapoisoning

agentic-exploitationmcpschemapoisoning

MCP Tool Schema Poisoning

Poisoning MCP tool schemas with hidden instructions in descriptions, parameter types, and validation rules.

A2A Artifact Poisoning

Injecting malicious content into shared artifacts and task results passed between agents in A2A workflows.

a2aartifactpoisoning

agentic-exploitationagent-swarmpoisoningmulti-agent

Agent Swarm Poisoning

Poisoning agent swarm coordination to manipulate collective decision-making and task allocation.

ai-forensics-irvector-databasepoisoningembedding-forensicsrag

Vector Database Forensics

Forensic analysis techniques for detecting and investigating vector database poisoning, unauthorized modifications, and data integrity violations.

skill-verificationagent-memorypoisoning

Skill Verification: Agent Memory Attacks

Practical verification of memory poisoning, context manipulation, and cross-session persistence skills.

Case Study: Production RAG Poisoning Incident

Detailed analysis of a real-world RAG poisoning incident including attack methodology, impact, and remediation.

case-studyragpoisoning

code-gencontextpoisoningrepository

Codebase Context Poisoning

Poisoning repository files that AI coding assistants use for context to influence code suggestions across the entire development team.

challengeragpoisoningretrievalinjectionmay-2026

May 2026: RAG Poisoning Challenge

Inject malicious documents into a retrieval-augmented generation system to control responses for specific queries without disrupting normal operation.

data-trainingpoisoningclean-labelstealth

Clean-Label Poisoning Attacks

Creating poisoned training samples that maintain correct labels while still influencing model behavior through subtle feature manipulation.

data-trainingdeduplicationpoisoningevasion

Data Deduplication Attacks

Exploiting and evading data deduplication processes used in training pipeline data cleaning to ensure poisoned samples survive preprocessing.

data-trainingpoisoningstrategiesattacks

Data Poisoning Strategies

Comprehensive strategies for poisoning training data to influence model behavior at scale.

data-trainingfederated-learningpoisoningdistributed

Federated Learning Poisoning

Attacking federated learning systems by submitting poisoned gradient updates from compromised participants while evading Byzantine-robust aggregation.

data-trainingpoisoninggradientoptimization

Gradient-Based Data Poisoning

Using gradient information to craft maximally effective poisoned samples that achieve attacker objectives with minimal data modification.

ragpoisoningembeddingsvector-searchadversarial-documentsretrieval-manipulation

Knowledge Base Poisoning

Techniques for injecting adversarial documents into RAG knowledge bases: ingestion path analysis, embedding space attacks, SEO-style ranking manipulation, staged poisoning, and effectiveness measurement.

syntheticpracticaldatapoisoningtraining

Practical Synthetic Data Poisoning

Poisoning synthetic data generation pipelines used for model training augmentation.

data-trainingweb-crawlpoisoninginternet-scale

Web Crawl Poisoning at Scale

Strategic placement of adversarial content on the internet to influence web-crawled training datasets used by large language models.

data-trainingweb-scalepoisoningcrawl

Web-Scale Data Poisoning

Techniques for poisoning web-scale training data through targeted content manipulation.

embeddingpoisoningtechniquesretrieval

Embedding Poisoning Techniques

Techniques for poisoning embedding spaces to manipulate retrieval and similarity search.

embeddingRAGpoisoningretrieval

RAG Retrieval Poisoning

Poisoning document collections to manipulate what gets retrieved by RAG systems, enabling indirect prompt injection at scale.

fine-tuningadapterpoisoningattacks

Adapter Poisoning Attacks

Poisoning publicly shared adapters and LoRA weights to compromise downstream users.

fine-tuningsafety-datapoisoningalignment

Safety Dataset Poisoning

Attacking the safety training pipeline by poisoning safety evaluation datasets and safety-oriented fine-tuning data to undermine safety training.

adversarial-mlfundamentalsevasionpoisoningintermediate

Adversarial ML: Core Concepts

History and fundamentals of adversarial machine learning — perturbation attacks, evasion vs poisoning, robustness — bridging classical adversarial ML to LLM-specific attacks.

code-suggestionpoisoningsupply-chain

Code Suggestion Poisoning (Frontier Research)

Poisoning training data and package ecosystems to influence AI code suggestions: insecure pattern seeding, package name confusion, trojan code injection, and supply chain risks.

frontierfederated-learningpoisoning

Federated Learning Model Poisoning

Poisoning federated learning aggregation through malicious gradient updates and byzantine attack vectors.

frontier-researchsynthetic-datapoisoningtraining

Synthetic Data Poisoning in Training Pipelines

Research on poisoning synthetic data generation pipelines used for model training and fine-tuning.

model-registrymlflowwandbsupply-chainpoisoningartifact-security

Poisoning Model Registries

Advanced techniques for attacking model registries like MLflow, Weights & Biases, and Hugging Face Hub, including model replacement attacks, metadata manipulation, artifact poisoning, and supply chain compromise through registry infrastructure.

labscurriculumpoisoningadvanced

Lab: Training Curriculum Poisoning

Exploit training data ordering and curriculum learning to amplify the impact of small numbers of poisoned examples.

labsfederated-learningpoisoningadvanced

Lab: Federated Learning Poisoning Attacks

Execute model poisoning attacks in a federated learning simulation by manipulating local model updates.

labfederated-learningpoisoningexperthands-on

Lab: Federated Learning Poisoning Attack

Hands-on lab for understanding and simulating poisoning attacks against federated learning systems, where a malicious participant corrupts the shared model through crafted gradient updates.

advancedlabgradientguidedpoisoninglabs

Gradient-Guided Data Poisoning

Use gradient information from open-source models to craft optimally poisoned training examples.

Advanced RAG Poisoning Techniques

Execute sophisticated RAG poisoning including gradient-guided document crafting.

labsragpoisoningadvanced

ctfsupply-chaindependenciespoisoningadvanced

CTF: Supply Chain Attack

Find and exploit vulnerabilities in an ML supply chain including compromised dependencies, poisoned models, backdoored training data, and malicious model files. Practice ML-specific supply chain security assessment.

labexpertpipelinepoisoningsupply-chainhands-on

Lab: ML Pipeline Poisoning

Compromise an end-to-end machine learning pipeline by attacking data ingestion, preprocessing, training, evaluation, and deployment stages. Learn to identify and exploit weaknesses across the full ML lifecycle.

labsfederated-learningpoisoningexpert

Federated Learning Poisoning Attack

Execute model poisoning attacks in a federated learning setting through adversarial participant manipulation.

labragpoisoningadvanceddata-attacks

Lab: Advanced RAG Poisoning

Hands-on lab for crafting documents that reliably get retrieved and influence RAG responses for specific target queries.

contextintermediatelabpoisoningwindowlabs

Context Window Poisoning Lab

Exploit context window management to inject persistent adversarial content that influences future model responses.

Lab: Agent Memory Poisoning

Hands-on lab exploring how conversational memory in AI agents can be poisoned to alter future behavior, inject persistent instructions, and exfiltrate data across sessions.

labmemorypoisoning

labsragpoisoningintermediate

RAG Context Poisoning

Poison a vector database to inject adversarial content into RAG retrieval results.

labragpoisoningdata-attacks

Lab: RAG Pipeline Poisoning

Hands-on lab for setting up a RAG pipeline with LlamaIndex, injecting malicious documents, testing retrieval poisoning, and measuring injection success rates.

labssemantic-searchpoisoningembeddingsintermediate

Semantic Search Poisoning

Craft adversarial documents that rank highly in semantic search for targeted queries in RAG systems.

simulationragembeddingsvector-databaseknowledge-managementpoisoning

Simulation: RAG Pipeline Poisoning

Red team engagement simulation targeting a RAG-based knowledge management system, covering embedding injection, document poisoning, retrieval manipulation, and knowledge base exfiltration.

llmopstelemetrypoisoningobservability

Model Telemetry Poisoning

Manipulating model telemetry and observability data to hide attacks, create false positives, or undermine monitoring effectiveness.

multimodalragpoisoningmultimodal-retrieval

Multimodal RAG Poisoning

Poisoning multimodal RAG systems through adversarial documents with embedded visual and textual payloads.

ragpoisoningretrievalembeddingsindirect-injection

RAG Retrieval Poisoning (Rag Data Attacks)

Techniques for poisoning RAG knowledge bases to inject malicious content into LLM context, including embedding manipulation, document crafting, and retrieval hijacking.

traininggradientpoisoning

Gradient-Based Data Poisoning (Training Pipeline)

Using gradient information to craft optimally adversarial training examples for targeted model manipulation.

preferencepipelinedatapoisoningtraining

Preference Data Poisoning (Training Pipeline)

Poisoning preference data used in RLHF and DPO to shift model alignment toward attacker objectives.

trainingsynthetic-datapoisoning

Synthetic Data Poisoning Vectors

Attack vectors specific to synthetic data generation pipelines used in model training and augmentation.

trainingtokenizerpoisoning

Tokenizer Poisoning Attacks

Attacking tokenizer training and vocabulary to create adversarial token patterns that bypass safety measures.

trainingdata-curationpoisoning

Training Data Curation Attacks

Attacking the data curation pipeline to inject adversarial examples into training datasets at scale.

walkthroughscachepoisoninginfrastructure

LLM Cache Poisoning Walkthrough

Poison LLM response caches to serve adversarial content to other users without direct injection.

walkthroughsfew-shotpoisoningin-context-learning

Few-Shot Example Poisoning Walkthrough

Poison few-shot examples in prompts to establish behavioral patterns that override system instructions.

walkthroughsfunction-schemapoisoningtool-use

Function Schema Poisoning Walkthrough

Poison function schemas to inject hidden instructions that redirect model tool selection and parameter filling.

walkthroughsragpoisoningdata

RAG Poisoning End-to-End Walkthrough

Complete walkthrough of poisoning a RAG system from document injection through information extraction.

attackssupplychainpoisoningwalkthroughwalkthroughs

Model Supply Chain Poisoning

Walkthrough of poisoning ML supply chains through dependency confusion, model weight manipulation, and hub attacks.

walkthroughsraghybrid-searchpoisoning

RAG Hybrid Search Poisoning Walkthrough

Walkthrough of poisoning both vector and keyword search in hybrid RAG architectures for maximum retrieval influence.

agentssupply-chainmcpnpmpoisoningsbomdependencies

代理 Supply Chain 攻擊s

Compromising AI agents through poisoned packages, backdoored MCP servers, malicious model registries, and weaponized agent frameworks -- including the Postmark MCP breach and NullBulge campaigns.

agentic-exploitationagent-memoryconversationalpoisoning

Conversational 記憶體投毒

Poisoning conversation history stores to alter the agent's understanding of prior interactions.

agentic-exploitationagent-memoryretrievalpoisoning

記憶體 Retrieval 投毒

Manipulating memory retrieval mechanisms to surface adversarial context during agent reasoning.

exploitationmemoryvectoragenticpoisoning

Vector-Based 記憶體投毒

投毒 vector-based memory stores in agent systems to inject false context into retrieval.

agentic-exploitationagent-memoryshared-memorypoisoning

Shared 記憶體 Space 投毒

Poison memory spaces shared between multiple agents or users in multi-tenant agent deployments.

function-callingcontext-injectionpoisoning

Function Calling Context Injection

Injecting adversarial content through function call results that influences subsequent model reasoning.

agentic-exploitationfunction-callingresultpoisoning

Function Result 投毒

Poisoning function call results to inject instructions back into the model's reasoning chain.

MCP Schema 投毒攻擊s

利用ing MCP tool schema definitions to inject malicious parameters and override expected behavior.

mcpschemapoisoning

agentic-exploitationmcpschemapoisoning

MCP 工具 Schema 投毒

投毒 MCP tool schemas with hidden instructions in descriptions, parameter types, and validation rules.

A2A Artifact 投毒

Injecting malicious content into shared artifacts and task results passed between agents in A2A workflows.

a2aartifactpoisoning

agentic-exploitationagent-swarmpoisoningmulti-agent

代理 Swarm 投毒

投毒 agent swarm coordination to manipulate collective decision-making and task allocation.

ai-forensics-irvector-databasepoisoningembedding-forensicsrag

Vector Database Forensics

Forensic analysis techniques for detecting and investigating vector database poisoning, unauthorized modifications, and data integrity violations.

assessmentcode-generationpoisoningevaluation

章節評量：程式碼生成安全

15 題校準評量，測試你對 AI 程式碼生成安全的理解——建議投毒、訓練資料萃取與 IDE 風險。

skill-verificationagent-memorypoisoning

Skill Verification: 代理記憶體攻擊s

Practical verification of memory poisoning, context manipulation, and cross-session persistence skills.

Case Study: Production RAG 投毒 Incident

Detailed analysis of a real-world RAG poisoning incident including attack methodology, impact, and remediation.

case-studyragpoisoning

code-gencontextpoisoningrepository

Codebase Context 投毒

投毒 repository files that AI coding assistants use for context to influence code suggestions across the entire development team.

challengeragpoisoningretrievalinjectionmay-2026

May 2026: RAG 投毒 Challenge

Inject malicious documents into a retrieval-augmented generation system to control responses for specific queries without disrupting normal operation.

data-trainingpoisoningclean-labelstealth

Clean-實驗室el 投毒攻擊s

Creating poisoned training samples that maintain correct labels while still influencing model behavior through subtle feature manipulation.

data-trainingdeduplicationpoisoningevasion

Data Deduplication 攻擊s

利用ing and evading data deduplication processes used in training pipeline data cleaning to ensure poisoned samples survive preprocessing.

data-trainingpoisoningstrategiesattacks

Data 投毒 Strategies

Comprehensive strategies for poisoning training data to influence model behavior at scale.

data-trainingfederated-learningpoisoningdistributed

Federated Learning 投毒

攻擊ing federated learning systems by submitting poisoned gradient updates from compromised participants while evading Byzantine-robust aggregation.

data-trainingpoisoninggradientoptimization

Gradient-Based Data 投毒

Using gradient information to craft maximally effective poisoned samples that achieve attacker objectives with minimal data modification.

ragpoisoningembeddingsvector-searchadversarial-documentsretrieval-manipulation

Knowledge Base 投毒

syntheticpracticaldatapoisoningtraining

Practical Synthetic Data 投毒

投毒 synthetic data generation pipelines used for model training augmentation.

data-trainingweb-crawlpoisoninginternet-scale

Web Crawl 投毒 at Scale

Strategic placement of adversarial content on the internet to influence web-crawled training datasets used by large language models.

data-trainingweb-scalepoisoningcrawl

Web-Scale Data 投毒

Techniques for poisoning web-scale training data through targeted content manipulation.

embeddingpoisoningtechniquesretrieval

Embedding 投毒 Techniques

Techniques for poisoning embedding spaces to manipulate retrieval and similarity search.

embeddingRAGpoisoningretrieval

RAG Retrieval 投毒

投毒 document collections to manipulate what gets retrieved by RAG systems, enabling indirect prompt injection at scale.

fine-tuningadapterpoisoningattacks

Adapter 投毒攻擊s

投毒 publicly shared adapters and LoRA weights to compromise downstream users.

fine-tuningsafety-datapoisoningalignment

Safety Dataset 投毒

攻擊ing the safety training pipeline by poisoning safety evaluation datasets and safety-oriented fine-tuning data to undermine safety training.

adversarial-mlfundamentalsevasionpoisoningintermediate

對抗式 ML：核心概念

對抗式機器學習的歷史與基本原理——擾動攻擊、逃避與投毒、穩健性——將古典對抗式 ML 銜接至 LLM 特有攻擊。

code-suggestionpoisoningsupply-chain

程式碼建議投毒（前沿研究）

投毒訓練資料與套件生態系以影響 AI 程式碼建議：不安全模式播種、套件名稱混淆、木馬程式碼注入，與供應鏈風險。

frontierfederated-learningpoisoning

Federated Learning 模型投毒

投毒 federated learning aggregation through malicious gradient updates and byzantine attack vectors.

frontier-researchsynthetic-datapoisoningtraining

Synthetic Data 投毒 in 訓練 Pipelines

Research on poisoning synthetic data generation pipelines used for model training and fine-tuning.

model-registrymlflowwandbsupply-chainpoisoningartifact-security

投毒模型 Registries

進階 techniques for attacking model registries like MLflow, Weights & Biases, and Hugging Face Hub, including model replacement attacks, metadata manipulation, artifact poisoning, and supply chain compromise through registry infrastructure.

labscurriculumpoisoningadvanced

實驗室: 訓練 Curriculum 投毒

利用 training data ordering and curriculum learning to amplify the impact of small numbers of poisoned examples.

labsfederated-learningpoisoningadvanced

實驗室: Federated Learning 投毒攻擊s

Execute model poisoning attacks in a federated learning simulation by manipulating local model updates.

labfederated-learningpoisoningexperthands-on

實驗室: Federated Learning 投毒攻擊

Hands-on lab for understanding and simulating poisoning attacks against federated learning systems, where a malicious participant corrupts the shared model through crafted gradient updates.

advancedlabgradientguidedpoisoninglabs

Gradient-指南d Data 投毒

Use gradient information from open-source models to craft optimally poisoned training examples.

進階 RAG 投毒 Techniques

Execute sophisticated RAG poisoning including gradient-guided document crafting.

labsragpoisoningadvanced

ctfsupply-chaindependenciespoisoningadvanced

CTF：供應鏈攻擊

尋找並利用 ML 供應鏈漏洞，包括遭入侵相依、被投毒模型、被植後門訓練資料與惡意模型檔。練習 ML 特有的供應鏈安全評估。

labexpertpipelinepoisoningsupply-chainhands-on

實驗室: ML Pipeline 投毒

labsfederated-learningpoisoningexpert

Federated Learning 投毒攻擊

Execute model poisoning attacks in a federated learning setting through adversarial participant manipulation.

labragpoisoningadvanceddata-attacks

實驗室: 進階 RAG 投毒

Hands-on lab for crafting documents that reliably get retrieved and influence RAG responses for specific target queries.