{"slug": "domain-camouflaged-injection-attacks-evade-detection-in-multi-agent-llm-systems", "title": "Domain-Camouflaged Injection Attacks Evade Detection in Multi-Agent LLM Systems", "summary": "According to a May 2026 paper, researchers identified a vulnerability in multi-agent LLM systems where injection attacks that mimic the domain vocabulary and authority of target documents evade standard detectors, causing detection rates to drop from 93.8% to 9.7% on Llama 3.1 8B. The study formalizes this as the Camouflage Detection Gap (CDG) and found that dedicated safety classifiers like Llama Guard 3 failed to detect any such camouflaged payloads. The authors conclude that the vulnerability is architectural for weaker models, as targeted detector augmentation provided only partial remediation.", "body_md": "Computer Science > Cryptography and Security\n[Submitted on 21 May 2026]\nTitle:Blind Spots in the Guard: How Domain-Camouflaged Injection Attacks Evade Detection in Multi-Agent LLM Systems\nView PDF HTML (experimental)Abstract:Injection detectors deployed to protect LLM agents are calibrated on static, template-based payloads that announce themselves as override directives. We identify a systematic blind spot: when payloads are generated to mimic the domain vocabulary and authority structures of the target document, what we call domain camouflaged injection, standard detectors fail to flag them, with detection rates dropping from 93.8% to 9.7% on Llama 3.1 8B and from 100% to 55.6% on Gemini 2.0 Flash. We formalize this as the Camouflage Detection Gap (CDG), the difference in injection detection rate between static and camouflaged payloads. Across 45 tasks spanning three domains and two model families, CDG is large and statistically significant (chi^2 = 38.03, p < 0.001 for Llama; chi^2 = 17.05, p < 0.001 for Gemini), with zero reverse discordant pairs in either case. We additionally evaluate Llama Guard 3, a production safety classifier, which detects zero camouflage payloads (IDRcamouflage = 0.000), confirming that the blind spot extends beyond few-shot detectors to dedicated safety classifiers. We further show that multi-agent debate architectures amplify static injection attacks by up to 9.9x on smaller models, while stronger models show collective resistance. Targeted detector augmentation provides only partial remediation (10.2% improvement on Llama, 78.7% on Gemini), suggesting the vulnerability is architectural rather than incidental for weaker models. Our framework, task bank, and payload generator are released publicly.\nCurrent browse context:\ncs.CR\nReferences & Citations\nLoading...\nBibliographic and Citation Tools\nBibliographic Explorer (What is the Explorer?)\nConnected Papers (What is Connected Papers?)\nLitmaps (What is Litmaps?)\nscite Smart Citations (What are Smart Citations?)\nCode, Data and Media Associated with this Article\nalphaXiv (What is alphaXiv?)\nCatalyzeX Code Finder for Papers (What is CatalyzeX?)\nDagsHub (What is DagsHub?)\nGotit.pub (What is GotitPub?)\nHugging Face (What is Huggingface?)\nScienceCast (What is ScienceCast?)\nDemos\nRecommenders and Search Tools\nInfluence Flower (What are Influence Flowers?)\nCORE Recommender (What is CORE?)\narXivLabs: experimental projects with community collaborators\narXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.\nBoth individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.\nHave an idea for a project that will add value for arXiv's community? Learn more about arXivLabs.", "url": "https://wpnews.pro/news/domain-camouflaged-injection-attacks-evade-detection-in-multi-agent-llm-systems", "canonical_source": "https://arxiv.org/abs/2605.22001", "published_at": "2026-05-22 18:46:07+00:00", "updated_at": "2026-05-22 20:06:54.393095+00:00", "lang": "en", "topics": ["large-language-models", "cybersecurity", "research"], "entities": ["Llama 3.1", "Gemini 2.0 Flash", "Llama Guard 3"], "alternates": {"html": "https://wpnews.pro/news/domain-camouflaged-injection-attacks-evade-detection-in-multi-agent-llm-systems", "markdown": "https://wpnews.pro/news/domain-camouflaged-injection-attacks-evade-detection-in-multi-agent-llm-systems.md", "text": "https://wpnews.pro/news/domain-camouflaged-injection-attacks-evade-detection-in-multi-agent-llm-systems.txt", "jsonld": "https://wpnews.pro/news/domain-camouflaged-injection-attacks-evade-detection-in-multi-agent-llm-systems.jsonld"}}