# Google DeepMind论文揭示六类自主AI智能体攻击方法

- 来源：Rohan Paul (@rohanpaul_ai)
- 发布时间：2026-06-04 17:44
- AIHOT 分数：71
- AIHOT 链接：https://aihot.virxact.com/items/cmpzbgc7f01z5slkp07xy0luy
- 原文链接：https://x.com/rohanpaul_ai/status/2062470652905549901

## AI 摘要

Google DeepMind论文首次系统分类六类攻击：HTML注释/白色文本隐藏指令、图像隐写、PDF元数据/演讲者笔记覆写、跨会话内存投毒、目标劫持及多智能体级联攻击。隐藏提示注入在86%场景中部分控制智能体，子智能体劫持成功率58–90%，数据泄露攻击在五种架构中均超80%。内存投毒成功率超80%，仅需不足0.1%数据污染。论文指出网页、邮件等非受信材料可被武器化，构成主要攻击面。

## 正文

This Google DeepMind's paper is a serious warning for anyone using autonomous agents today.

Gives the first clear taxonomy of 6 attack types where harmful websites can detect AI agents and show them hidden content humans never see， like

- Instructions buried in HTML comments or white-on-white text

- Steganography in image pixels

- Override commands in PDFs， metadata， or even speaker notes

- Memory poisoning that persists across sessions

- Goal hijacking and cross-agent cascades in multi-agent setups

The real security problem for AI agents is not just the model， but the environment it reads.

The web itself can be weaponized against autonomous AI agents. As agents increasingly browse the internet， read emails， execute transactions， and spawn sub-agents， the information environment becomes an attack surface.

In one cited benchmark， hidden prompt injections embedded in web content partially commandeered agents in up to 86% of scenarios， sub-agent hijacking working 58-90% of the time， and data exfiltration attacks clearing 80% across five different agent architectures.

That reframes the whole debate.

We usually talk about model safety as if the danger sits inside the weights， but agents do something more fragile： they browse， retrieve， remember， and act on untrusted material in real time.

Here's the thing to worry about.

A web page does not have to look malicious to be dangerous to an agent， because the agent may parse what humans never see： hidden HTML comments， metadata， CSS-hidden text， formatting syntax， or adversarial content embedded in images and other media.

The threat gets more serious once memory enters the loop.

If an agent uses RAG or persistent memory， poisoning no longer has to win in one shot. It can sit quietly in a corpus or memory store and activate later， which is why the paper highlights results showing latent memory poisoning above 80% attack success with less than 0.1% data contamination.

---

ssrn .com/sol3/papers.cfm？abstract_id=6372438
