Bad Memories Still Haunt AI Agents

VULNERABILITIES & THREATS CYBER RISK THREAT INTELLIGENCE IDENTITY & ACCESS MANAGEMENT SECURITY News, news analysis, and commentary on the latest trends in cybersecurity technology. Bad Memories Still Haunt AI Agents Cisco found and fixed a significant vulnerability in the way Anthropic handles memories, but experts warn that mishandled memory files will continue threaten AI systems. Robert Lemos,Contributing Writer April 23, 2026 5 Min Read SOURCE: BILLION PHOTOS VIA SHUTTERSTOCK Memory files can help artificial intelligence perform better, but researchers have found they are also a persistent trouble spot.  AI memory files and context data help personalize requests and provide additional information that large-language and other foundational AI models can use to deliver the best responses. But a persistent issue is proving to be a fundamental weakness in the security of AI systems. In March, Cisco researchers discovered they could compromise the memory files of Anthropic's Claude Code and maintain persistence, effectively infecting every project and session of the AI coding assistant. Using the technique, the researchers were able to introduce hard-coded secrets into production code, cause Claude Code to select insecure packages and configuration options, and push those changes to another development team member, according to a published post on the research. While Anthropic has since mitigated the issue, AI memory files represent a weak point in the security of the systems that need to be better protected, says Amy Chang, head of AI threat intelligence and security research for Cisco's AI Software & Platform group. Because memory and context data are incorporated into future requests, they can be used to corrupt the output of AI systems and applications. Related:New Raptor Framework Uses Agentic Workflows to Create Patches "You get the convenience of not having to reload the same files and dependencies and directories, but at the same time, the trade-off is you could potentially be opening yourself up to potential risk," she says. AI memory files and context data have become a focus for attackers looking to compromise AI applications and gain persistence, as they hold the state of a particular user session and, in the long term, the user's overall preferences. Researchers at Princeton University and Sentient AI found that attackers can insert fake memories into the data used by AI, manipulating its responses and decisions, while Radware threat researchers demonstrated ways to use indirection prompt injection (IPI) to compromise the connectors used by OpenAI's ChatGPT to link to third-party services. And Cisco found in a previous report that external data sources known as Model Context Protocol (MCP) servers already pose significant risks to AI applications. Cisco created a poisoned memory file that tells users it's poisoned. Source: Cisco The latest Cisco research also highlights a major problem with securing AI systems. Cybersecurity professionals view any executable file as a potential danger, and code frequently creeps into non-executable files, such as Excel macros and Python opcodes in Pickle files (used to handle weights for machine learning). Now, any text file could contain information that, when included in a memory file, can cause malicious behavior, says Chang. Related:An 18-Year-Old Codebase Left Smart Buildings Wide Open "Even your markdown files can be vectors," she says. As a result, cybersecurity professionals need to be aware of text files and their ability to modify the execution of AI systems. Privilege and Prompt Injection Cisco's latest attack focused on using the post-install hooks in the Node Package Manager (NPM) as a vector to modify Claude Code's memory.md file. Because the first 200 lines of the memory.md file were included in Claude Code's system prompt, the attack persisted across sessions. Other dependency files — such as claude.md (Anthropic's Claude), agents.md (OpenAI's Codex), and soul.md (OpenClaw) — are also risks that users of agentic AI will have to analyze and maintain, Cisco's Chang says. "I think [it] illuminates the environment that we're in, where — depending on your specific setup and everyone sets their environment up differently — there are probably a lot of different other vectors that are overlooked, overseen, and just blanket accepted," she says. Foundational models are essentially stateless systems, because each call is independent and the weights do not change. To incorporate state, any information must be present in the context window, either as part of the prompt, from some data source — such as vector databases — or through additional tuning using a variety of technologies, such as low-rank adapters (LoRA) and retrieval-augmented generation (RAG). Related:Google Fixes Critical RCE Flaw in AI-Based 'Antigravity' Tool While poisoned Node Package Manager (NPM) components are a popular way to attack LLMs, there are many other vectors, says Jay Chen, senior principal security researcher with cybersecurity firm Palo Alto Networks, which published research on memory manipulation last October. "The root cause is prompt injection, which remains an open and unsolved problem," he says. "Any AI agents or GenAI applications that rely on an LLM to manage memory can be susceptible to memory poisoning." Long-Term Memories Always Bad? Retaining memory files for a long time may itself be a security weakness. While malicious additions to memory files are hard to detect, various AI security vendors, including Cisco, Palo Alto Networks, Snyk, Meta, and SentinelOne, have developed tools to scan memory files for malicious modifications and to block attacks on AI systems. Because the files will continue to be targeted by attackers, adopting these tools is key to defense, says Cisco's Chang. "Having additional layers of protection on top of [the memory processing] ... would probably improve security," she says. "We released a lot of open-source scanners that can scan those dependency files that would surface something like this, where you have a poison memory file." Companies may also want to regularly delete memory files, especially if there are concerns over whether they have been maliciously modified, says Palo Alto Networks' Chen. "The duration of exposure depends on memory update frequency and retention policies, so it is difficult to determine how long malicious instructions may persist," he says. "If there is any doubt, the safest approach is to purge the memory." About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The Agentic SOC: Exploring the Practitioner Mindset as AI Permeates SecOps The Total Economic Impact™ Of Google SecOps The Business Value of Google Threat Intelligence The Total Economic Impact™ Of Google SecOps AI-driven SecOps: Transforming Financial Services Security Access More Research Webinars From AI Hype to Trusted Outcomes: Wolf's New Aurora® Superintelligence Platform and Turnkey Agentic SOC Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE by Nate Nelson, Contributing Writer JUL 11, 2025 VULNERABILITIES & THREATS AI Agents Fail in Novel Ways, Put Businesses at Risk by Robert Lemos, Contributing Writer MAY 07, 2025 Latest Articles in DR Technology ENDPOINT SECURITY Two-Factor Authentication Breaks Free From the Desktop APR 16, 2026 ENDPOINT SECURITY Microsoft's Original Windows Secure Boot Certificate Is Expiring APR 16, 2026 APPLICATION SECURITY OWASP GenAI Security Project Gets Update, New Tools Matrix APR 6, 2026 APPLICATION SECURITY Chainguard Unveils Factory 2.0 to Automate Hardening the Software Supply Chain APR 3, 2026 Read More DR Technology Want more Dark Reading stories in your Google search results? BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS