
Key facts.
- PoisonedRAG: five injected documents reached a 90% attack success rate, via Wikipedia edits, fake news, malicious sites, or an insider (PoisonedRAG, USENIX Security 2025).
- The Amazon Q extension was poisoned at the source through a malicious pull request that reached an official release (SC Media).
- Tool responses are sources too: a compromised or spoofed API can feed an agent attacker-controlled data it treats as ground truth.
Why doesn't the agent notice the source is bad?
Because nothing tells it to doubt. The agent treats a retrieved document, a repo file, or an API response as authoritative, and it has no built-in notion of provenance or trust level. A poisoned source looks identical to a legitimate one. The defense is to attach trust to sources explicitly: weight by provenance, verify critical facts across independent sources, and treat any externally writable source as untrusted by default. The agent will not invent that skepticism; you have to give it.

Flat trust vs. provenance-aware
| Flat trust | Provenance-aware |
|---|---|
| All sources weighted equally | Sources weighted by trust level |
| One poisoned source drives the action | Critical facts cross-checked |
| Writable sources trusted | Externally writable sources tainted |
Source poisoning is cheap and model-agnostic: PoisonedRAG hit 90% with five texts, and a more capable model reads the poison just as faithfully. (arXiv:2402.07867)
VibeModel's Pattern Intelligence Layer watches for the pattern of a source steering an agent toward an action that does not match its history, the signature of a poisoned input, and flags it. You attach provenance and cross-check critical facts; we catch the moment a single source starts driving the outcome. Trust your data deliberately, not by default.
Frequently asked questions
How do I find five poisoned documents in millions?
You usually cannot by inspection. Defend by provenance and cross-source verification of the facts that drive actions, not by hunting the needle.
Are internal sources safe?
Only if they are not externally writable. A wiki or repo anyone can edit is an external source wearing an internal badge.

