Recent research has unveiled a novel cyberattack method, termed ‘stealth memory injection,’ which enables attackers to implant false information into AI assistants through a single email. This technique manipulates the assistant’s memory, leading to altered responses and actions in future interactions without the user’s awareness.
AI assistants, designed to retain user preferences and historical interactions, store this data in memory files. These files are referenced in subsequent sessions to provide personalized experiences. The attack exploits this feature by embedding malicious instructions within an email. When the AI assistant processes this email, it unwittingly updates its memory with the false information, which then influences its future behavior.
In a practical demonstration, researchers used an open-source AI assistant named OpenClaw. They crafted an email containing hidden directives aimed at the assistant. Upon processing the email, OpenClaw updated its memory to reflect a fabricated increase in the user’s Zelle daily sending limit to $10,000. Consequently, in future interactions, the assistant provided information based on this false data.
The stealthy nature of this attack is particularly concerning. The AI assistant does not notify the user of the memory update, and users typically do not inspect the raw memory files. This lack of transparency allows the false information to persist undetected, potentially leading to significant consequences.
To facilitate this attack, researchers developed a tool named MemGhost. This tool generates emails designed to manipulate the AI assistant’s memory without triggering user suspicion. In controlled tests, MemGhost successfully executed the attack in 87.5% of background-mode runs against OpenClaw on GPT-5.4 and 71.4% against a Claude Code SDK agent on Sonnet 4.6.
It’s important to note that these tests were conducted in isolated environments, focusing on the AI assistant’s response to the malicious email. Factors such as email spam filters and sender authentication mechanisms were not evaluated in this context.
This discovery underscores the need for enhanced security measures in AI assistants, particularly those with memory retention capabilities. Developers should implement safeguards to verify the authenticity of memory updates and provide transparency to users regarding changes to their stored data. Users, in turn, should remain vigilant about the potential for such manipulations and regularly review their AI assistant’s memory settings.