cd /news/ai-safety/persistent-control-of-self-evolving-… Β· home β€Ί topics β€Ί ai-safety β€Ί article
[ARTICLE Β· art-49179] src=arxiv.org β†— pub= topic=ai-safety verified=true sentiment=↓ negative

Persistent Control of Self-Evolving LLM Agents via Self-Reinforcing Injections

Researchers at an undisclosed institution have developed a black-box attack framework called Zombie Agent that can covertly implant persistent payloads into self-evolving LLM agents through indirect exposure to poisoned web content. The attack exploits the agents' long-term memory update mechanisms to survive across sessions, enabling unauthorized tool behavior while maintaining benign task performance. The findings suggest that current per-session prompt filtering defenses are insufficient for self-evolving agents.

read2 min views5 publishedJul 7, 2026
Persistent Control of Self-Evolving LLM Agents via Self-Reinforcing Injections
Image: source
[Submitted on 17 Feb 2026 (

[v1](https://arxiv.org/abs/2602.15654v1)), last revised 5 Mar 2026 (this version, v2)]# Title:Zombie Agents: Persistent Control of Self-Evolving LLM Agents via Self-Reinforcing Injections

[View PDF](/pdf/2602.15654)

[HTML (experimental)](https://arxiv.org/html/2602.15654v2)

Abstract:Self-evolving LLM agents update their internal state across sessions, often by writing and reusing long-term memory. This design improves performance on long-horizon tasks but creates a security risk: untrusted external content observed during a benign session can be stored as memory and later treated as instruction. We study this risk and formalize a persistent attack we call a Zombie Agent, where an attacker covertly implants a payload that survives across sessions, effectively turning the agent into a puppet of the attacker.

We present a black-box attack framework that uses only indirect exposure through attacker-controlled web content. The attack has two phases. During infection, the agent reads a poisoned source while completing a benign task and writes the payload into long-term memory through its normal update process. During trigger, the payload is retrieved or carried forward and causes unauthorized tool behavior. We design mechanism-specific persistence strategies for common memory implementations, including sliding-window and retrieval-augmented memory, to resist truncation and relevance filtering. We evaluate the attack on representative agent setups and tasks, measuring both persistence over time and the ability to induce unauthorized actions while preserving benign task quality. Our results show that memory evolution can convert one-time indirect injection into persistent compromise, which suggests that defenses focused only on per-session prompt filtering are not sufficient for self-evolving agents.

Submission history #

From: Xianglin Yang [[view email](/show-email/43d84001/2602.15654)]

**Tue, 17 Feb 2026 15:28:24 UTC (459 KB)**

[[v1]](/abs/2602.15654v1)**[v2]** Thu, 5 Mar 2026 11:36:38 UTC (460 KB)

References & Citations

...

Bibliographic Explorer

(What is the Explorer?) Connected Papers

(What is Connected Papers?) Litmaps

(What is Litmaps?) scite Smart Citations

(What are Smart Citations?)# Code, Data and Media Associated with this Article alphaXiv

(What is alphaXiv?) CatalyzeX Code Finder for Papers

(What is CatalyzeX?) DagsHub

(What is DagsHub?) Gotit.pub

(What is GotitPub?) Hugging Face

(What is Huggingface?) ScienceCast

(What is ScienceCast?)# Demos Influence Flower

(What are Influence Flowers?) CORE Recommender

(What is CORE?)# arXivLabs: experimental projects with community collaborators arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.

Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.

Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs.

── more in #ai-safety 4 stories Β· sorted by recency
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain β€” perfect for shipping the agent you just read about.

$git push zahid main
β†’ Live at https://your-agent.zahid.host βœ“
Get free account β†’ Pricing
from €0/mo Β· no card required
LIVE [news/persistent-control-o…] indexed:0 read:2min 2026-07-07 Β· β€”