New to ShortSpan? We distil the AI-security research that matters into practitioner takeaways — edited by Ben Williams (NCC Group). Get the weekly email
// Analysis

FORGE hijacks planning in LLM research agents

Agents
FORGE hijacks planning in LLM research agents

New work shows a planning-layer poisoning attack on deep research agents. By planting a handful of adversarial web documents, attackers can steer subtask generation and push fabricated claims into final reports. Across 25 queries, five poisoned pages drove 26.4% PRISM contamination; a proposed anchoring defence cut a subset from 38.5% to 18.3%.

Research agents look tidy on whiteboards: break a broad question into subtasks, trawl the web, loop a few times, then stitch a long report. In practice, that recursive planning is an attack surface. This paper frames it as planning-layer poisoning and ships a concrete method, FORGE, that turns a small retrieval foothold into report-level contamination.

The trick is two-tiered. First, each poisoned page carries a fabricated internal reasoning chain so the target claim reads like a derived conclusion, not a naked assertion. Second, the attacker coordinates several such pages into an inter-document chain, so the set looks like convergent evidence from multiple sources. Planners defer to apparent consensus; follow-up questions slide toward the attacker’s narrative.

It works with a modest budget. Across 25 queries, injecting five crafted documents yielded 26.4% PRISM, a weighted metric that scores infected claims by cognitive type (factual, prescriptive, evaluative, causal, framing). On a stratified 10-query subset the attack hit 38.5% PRISM. As research depth increases, contamination doesn’t just get louder; it migrates. The paper observes depth migration: infections shift from overt framing into factual-looking premises as the agent recursively synthesises, which makes bad content harder to spot by eye.

A neat diagnostic backs the core claim. In a transplant experiment, swapping in a poisoned subtask list boosted contamination far more than merely adding more poisoned documents to retrieval. In other words, the plan itself is the amplification channel. Control the subtask list, and you steer everything downstream.

There’s a mitigation on offer: Root Query Anchoring (RQA). It reinjects the original user query when generating recursive follow-ups and when extracting learnings, keeping subtasks tied to the root objective. On the 10-query subset, RQA dropped PRISM from 38.5% to 18.3% and raised a reference utility score from 0.5000 to 0.6173. It doesn’t close the door, though. The authors note retrieval remains open, so an adaptive attacker could align poisoned pages lexically with the root query.

Operationally this maps cleanly to any Large Language Model (LLM) research agent that reads the open web and writes long-form outputs, from reports to knowledge base updates. The study runs mostly on a gpt-researcher testbed and simulates network competition without live web factors like domain authority or anti-spam, so real-world hit rates will vary. The underlying leverage point is clear enough: planning objects are privileged artefacts. If they drift, everything downstream follows, and with depth the lies stop looking like opinions and start looking like facts.

Additional analysis of the original ArXiv paper

📋 Original Paper Title and Abstract

FORGE: Research-Trajectory Hijacking Attacks on Deep Research Agents

Authors: Yue Pan, Ziheng Zhang, Junxiang Lei, Changhao Jia, Qingyi Si, and Hongcheng Guo
Deep research agents decompose open-ended queries into subtasks, retrieve web evidence over multiple rounds, and synthesize long-form reports. This workflow creates a planning-layer poisoning surface: adversarial documents that enter the retrieval pool can steer follow-up questions and turn a local injection into report-level contamination. We present FORGE (Fabricated Orchestrated Reasoning chain for aGent Exploitation), a two-level attack that combines intra-document reasoning fabrication with inter-document chain coordination to hijack subtask planning. We further introduce the PRISM metric, which weights infected report claims by cognitive type, and Root Query Anchoring, a lightweight defense that ties recursive follow-up generation to the root query. Across 25 queries, Network FORGE reaches 26.4% PRISM with five injected documents and exhibits depth migration, in which recursive synthesis shifts poisoned content from overt framing into factual premises. On the 10-query defense subset, RQA (Root Query Anchoring) reduces PRISM from 38.5% to 18.3%.

🔍 ShortSpan Analysis of the Paper

Problem

This paper studies how deep research agents that decompose open‑ended queries into subtasks, retrieve web evidence across multiple rounds, and synthesise long reports can be poisoned at the planning layer. Early retrieved documents can shape subsequent subtasks and retrieval, allowing a small number of adversarial web documents to steer multi‑step reasoning and produce contaminated final reports. This planning‑layer poisoning surface is distinct from single‑step retrieval attacks and matters because it can covertly convert framing or speculative language into apparently factual premises during recursive synthesis.

Approach

The authors introduce FORGE, a two‑level poisoning construction and an evaluation pipeline. At the document level, each adversarial document embeds a fabricated internal reasoning chain that presents a target claim as a derived conclusion. At the set level, FORGE organises documents into an inter‑document chain so the collection reads as convergent multi‑source evidence, increasing planner deference. They measure report‑level harm with PRISM, a weighted metric that classifies extracted report claims into five cognitive types (factual, prescriptive, evaluative, causal, framing) and weights infections by cognitive influence. As a mitigation they propose Root Query Anchoring (RQA), which reinjects the original user query when generating recursive follow‑ups and when extracting learnings so subtasks remain aligned to the root objective. Experiments use a gpt‑researcher testbed across 25 queries in five topic categories, varied research depths, and both local and network poisoning settings; attacks are created by a human‑supervised LLM pipeline and evaluated with automated claim extraction and classification.

Key Findings

  • FORGE converts locally plausible fabricated documents into coordinated multi‑source pressure that hijacks subtask planning and propagates the target narrative into final reports.
  • Measured by PRISM, Network FORGE reaches 26.4% with five injected documents averaged over 25 queries; on a 10‑query stratified subset FORGE attains 38.5% PRISM.
  • Recursive depth changes how contamination appears: deeper workflows shift infections from overt framing into factual‑looking premises, making attacks more covert without necessarily increasing raw PRISM.
  • A transplant experiment shows the planning/subtask list is the main amplification channel: switching to a poisoned subtask list yields far larger PRISM gains than increasing retrieval injection alone.
  • RQA reduces PRISM substantially: on the 10‑query subset RQA lowers PRISM from 38.5% to 18.3% while raising a reference utility score from 0.5000 to 0.6173, showing planning‑layer anchoring both reduces harm and improves topical relevance.

Limitations

Results are primarily on gpt‑researcher though trends were reproduced on two other frameworks; the network setting simulates retrieval competition but omits live‑web factors such as domain authority and anti‑spam filtering. PRISM’s five‑type weighting is a design choice not calibrated to reader perception. RQA constrains planning but leaves retrieval open, so adaptive attackers could attempt lexical alignment with the root query. Experiments used controlled offline evaluation and restricted release of attack artefacts.

Implications

An attacker able to seed a small set of crafted web documents can steer automated research agents to investigate attacker‑aligned subtasks and synthesize contaminated conclusions, including fabricated events, performance numbers, or causal mechanisms. Such poisoning can corrupt reports, knowledge bases, or enterprise decision workflows and become more covert at larger recursion depth by migrating framing into factual premises. The planning layer is a high‑leverage target: controlling subtask generation yields greater downstream influence than adding more poisoned documents to retrieval alone.

// Similar research

Related Research

Get the weekly digest

The few AI-security papers that matter, with the practitioner takeaway. No spam.