FORGE hijacks planning in LLM research agents
New work shows a planning-layer poisoning attack on deep research agents. By planting a handful of adversarial web documents, attackers can steer subtask generation and push fabricated claims into final reports. Across 25 queries, five poisoned pages drove 26.4% PRISM contamination; a proposed anchoring defence cut a subset from 38.5% to 18.3%.
Research agents look tidy on whiteboards: break a broad question into subtasks, trawl the web, loop a few times, then stitch a long report. In practice, that recursive planning is an attack surface. This paper frames it as planning-layer poisoning and ships a concrete method, FORGE, that turns a small retrieval foothold into report-level contamination.
The trick is two-tiered. First, each poisoned page carries a fabricated internal reasoning chain so the target claim reads like a derived conclusion, not a naked assertion. Second, the attacker coordinates several such pages into an inter-document chain, so the set looks like convergent evidence from multiple sources. Planners defer to apparent consensus; follow-up questions slide toward the attacker’s narrative.
It works with a modest budget. Across 25 queries, injecting five crafted documents yielded 26.4% PRISM, a weighted metric that scores infected claims by cognitive type (factual, prescriptive, evaluative, causal, framing). On a stratified 10-query subset the attack hit 38.5% PRISM. As research depth increases, contamination doesn’t just get louder; it migrates. The paper observes depth migration: infections shift from overt framing into factual-looking premises as the agent recursively synthesises, which makes bad content harder to spot by eye.
A neat diagnostic backs the core claim. In a transplant experiment, swapping in a poisoned subtask list boosted contamination far more than merely adding more poisoned documents to retrieval. In other words, the plan itself is the amplification channel. Control the subtask list, and you steer everything downstream.
There’s a mitigation on offer: Root Query Anchoring (RQA). It reinjects the original user query when generating recursive follow-ups and when extracting learnings, keeping subtasks tied to the root objective. On the 10-query subset, RQA dropped PRISM from 38.5% to 18.3% and raised a reference utility score from 0.5000 to 0.6173. It doesn’t close the door, though. The authors note retrieval remains open, so an adaptive attacker could align poisoned pages lexically with the root query.
Operationally this maps cleanly to any Large Language Model (LLM) research agent that reads the open web and writes long-form outputs, from reports to knowledge base updates. The study runs mostly on a gpt-researcher testbed and simulates network competition without live web factors like domain authority or anti-spam, so real-world hit rates will vary. The underlying leverage point is clear enough: planning objects are privileged artefacts. If they drift, everything downstream follows, and with depth the lies stop looking like opinions and start looking like facts.
Additional analysis of the original ArXiv paper
📋 Original Paper Title and Abstract
FORGE: Research-Trajectory Hijacking Attacks on Deep Research Agents
🔍 ShortSpan Analysis of the Paper
Problem
This paper studies how deep research agents that decompose open‑ended queries into subtasks, retrieve web evidence across multiple rounds, and synthesise long reports can be poisoned at the planning layer. Early retrieved documents can shape subsequent subtasks and retrieval, allowing a small number of adversarial web documents to steer multi‑step reasoning and produce contaminated final reports. This planning‑layer poisoning surface is distinct from single‑step retrieval attacks and matters because it can covertly convert framing or speculative language into apparently factual premises during recursive synthesis.
Approach
The authors introduce FORGE, a two‑level poisoning construction and an evaluation pipeline. At the document level, each adversarial document embeds a fabricated internal reasoning chain that presents a target claim as a derived conclusion. At the set level, FORGE organises documents into an inter‑document chain so the collection reads as convergent multi‑source evidence, increasing planner deference. They measure report‑level harm with PRISM, a weighted metric that classifies extracted report claims into five cognitive types (factual, prescriptive, evaluative, causal, framing) and weights infections by cognitive influence. As a mitigation they propose Root Query Anchoring (RQA), which reinjects the original user query when generating recursive follow‑ups and when extracting learnings so subtasks remain aligned to the root objective. Experiments use a gpt‑researcher testbed across 25 queries in five topic categories, varied research depths, and both local and network poisoning settings; attacks are created by a human‑supervised LLM pipeline and evaluated with automated claim extraction and classification.
Key Findings
- FORGE converts locally plausible fabricated documents into coordinated multi‑source pressure that hijacks subtask planning and propagates the target narrative into final reports.
- Measured by PRISM, Network FORGE reaches 26.4% with five injected documents averaged over 25 queries; on a 10‑query stratified subset FORGE attains 38.5% PRISM.
- Recursive depth changes how contamination appears: deeper workflows shift infections from overt framing into factual‑looking premises, making attacks more covert without necessarily increasing raw PRISM.
- A transplant experiment shows the planning/subtask list is the main amplification channel: switching to a poisoned subtask list yields far larger PRISM gains than increasing retrieval injection alone.
- RQA reduces PRISM substantially: on the 10‑query subset RQA lowers PRISM from 38.5% to 18.3% while raising a reference utility score from 0.5000 to 0.6173, showing planning‑layer anchoring both reduces harm and improves topical relevance.
Limitations
Results are primarily on gpt‑researcher though trends were reproduced on two other frameworks; the network setting simulates retrieval competition but omits live‑web factors such as domain authority and anti‑spam filtering. PRISM’s five‑type weighting is a design choice not calibrated to reader perception. RQA constrains planning but leaves retrieval open, so adaptive attackers could attempt lexical alignment with the root query. Experiments used controlled offline evaluation and restricted release of attack artefacts.
Implications
An attacker able to seed a small set of crafted web documents can steer automated research agents to investigate attacker‑aligned subtasks and synthesize contaminated conclusions, including fabricated events, performance numbers, or causal mechanisms. Such poisoning can corrupt reports, knowledge bases, or enterprise decision workflows and become more covert at larger recursion depth by migrating framing into factual premises. The planning layer is a high‑leverage target: controlling subtask generation yields greater downstream influence than adding more poisoned documents to retrieval alone.