How one poisoned message turns a coordinated agent team against itself

In a multi-agent system, the message from one agent is untrusted content to the next. An attacker only has to poison one link.

B

Balagei G Nagarajan

3 MIN READ


A poisoned message passing from one agent to the next, spreading a malicious instruction across a team
Agents are usually built to treat peer outputs as collaborative input, not as adversarial data.
— from “How one poisoned message turns a coordinated agent team against itself”

Key facts.

  • The lethal trifecta (private data, untrusted content, external communication) describes when an agent can be tricked into exfiltration; multi-agent systems often have all three internally (Willison, 2025).
  • Inter-agent messages are untrusted content to the receiver, so a compromised agent becomes an injection vector for the rest of the team; AgentDojo formalizes this by measuring attacks that hijack agents through the data their tools return (AgentDojo, 2024).
  • A gradual multi-turn jailbreak can walk an agent off its task one benign turn at a time, succeeding across GPT-4 and Gemini, so the attack isn't theoretical (Crescendo, 2024).
  • A poisoned message becomes a trusted instruction, and a stronger model still obeys: Crescendo lands on GPT-4 and Gemini, an incident per turn. (arXiv:2406.13352)

Why does the next agent trust the poisoned message?

Because it has no reason not to. Agents are usually built to treat peer outputs as collaborative input, not as adversarial data. there's rarely a taint boundary at the handoff that says "this came from an agent that read untrusted content, so treat its instructions with suspicion." Without that boundary, a single compromised agent launders attacker instructions into the team's shared workflow, and each downstream agent acts on them confidently.

Sankey diagram showing a poisoned input flowing through one agent and fanning out to the rest of the team

Trusting handoffs vs. tainting them

Trusting handoffsTainting untrusted input
Peer messages treated as safeMessages from tainted agents flagged
One compromise spreads freelyCompromise contained at the boundary
No exfiltration gateExfiltration actions require approval after taint

VibeModel's Pattern Intelligence Layer watches inter-agent messages for the patterns of injection, an instruction where data was expected, a sudden shift in an agent's behavior after reading external content, and contains it at the boundary. You treat peer output as data, not gospel; we flag when that data is trying to give orders.

Frequently asked questions

Isn't this just single-agent injection repeated?
it's worse, because the coordination layer spreads it. One compromise reaches every agent that reads the poisoned message.

How do I contain it?
Treat ingestion of untrusted content as a taint event and gate exfiltration-capable actions downstream of it, even between your own agents.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.