Context Poisoning Attacks
- Context poisoning attacks are methods where adversaries corrupt the data context—such as training sets, in-context examples, or tool metadata—to subvert model predictions and behaviors.
- They leverage diverse techniques like plan injection, feature transfer, and memory poisoning to covertly redirect system outputs, achieving high attack success rates in various settings.
- Recent studies focus on detection and mitigation strategies including meta-database monitoring, loss alignment techniques, and robust auditing to safeguard contextual integrity.
Context poisoning attacks are attacks in which an adversary corrupts information that a model treats as operative context for prediction, adaptation, planning, or learning. Recent work shows that the relevant “context” may be a training corpus, an unlabeled pool used for pseudolabeling, a sequence of test-time samples used for online adaptation, an in-context demonstration set, an agent’s memory or plan state, tool metadata passed into an LLM, or cross-file code retrieved by a coding assistant. Across these settings, the common mechanism is that the system reuses poisoned context as if it were trustworthy, thereby turning ordinary learning, retrieval, or reasoning pathways into an attack surface (He et al., 2024, Patlan et al., 18 Jun 2025, Huang et al., 23 Mar 2026, Draganov et al., 3 Feb 2026).
1. Conceptual scope and formalization
The modern literature does not use “context poisoning” in a single narrow sense. In web agents, the term is made explicit through a general context model
where is the user prompt, external data, static knowledge or system behavior, and interaction history or memory. Within that model, direct prompt injection corrupts , indirect prompt injection corrupts , memory injection corrupts , and plan injection corrupts the planner-visible task plan in
Plan injection is therefore not merely prompt injection in another location; it is corruption of persistent internal task state (Patlan et al., 18 Jun 2025).
A closely related formalization appears in Model Context Protocol ecosystems, where tool descriptions, parameter schemas, and prompts retrieved via tools/list are inserted into the LLM context window. Tool poisoning is then a form of indirect prompt injection through metadata, but the attacked object is the model’s reasoning context rather than the user-authored prompt. The threat is amplified by the fact that the model becomes a decision-maker inside the trust boundary, interpreting tool metadata as actionable instruction (Huang et al., 23 Mar 2026).
The same conceptual expansion appears in coding assistants. In XOXO, context is not a single prompt string but automatically aggregated code drawn from intra-file, inter-file, and inter-project sources. Semantics-preserving code transformations can therefore poison the assistant without breaking program semantics, because the model is sensitive to lexical and structural cues that are not semantically essential to program execution (Štorek et al., 18 Mar 2025). Earlier code-completion poisoning work already showed that a natural code context can function as a trigger: the attacker poisons training so that attacker-chosen contexts later elicit attacker-chosen insecure completions, while the victim’s input remains benign (Schuster et al., 2020).
This suggests that “context poisoning” is best understood as a family resemblance term. What unifies the family is not the storage location of the poison, but the fact that the poisoned artifact participates in the model’s latent task inference, update rule, or action-selection procedure.
2. Poisoning the training corpus and supervision pipeline
In classical supervised and semi-supervised learning, context poisoning appears as corruption of the data from which the model infers task structure. In semi-supervised learning with FixMatch, the attacker cannot modify labels directly because poisons are inserted only into the unlabeled pool 0. The critical attack surface is instead the pseudolabel distribution assigned by the model. The paper reports an average attack success rate as high as 96.9%; for perturbation-based attacks with 1, the average ASR against semi-supervised learning is 93.6%, versus 82.58% on supervised learning, while even unperturbed poisons with 2 still reach 73.7% ASR (Connor et al., 2022). The strongest regime is not maximal perturbation: low modification strength keeps poisons target-like, high modification strength disperses pseudolabels across classes and weakens the backdoor, and moderate modification strength yields the strongest attacks.
Stealthy poisoning has also been pursued through latent feature manipulation rather than visible triggers. DeepPoison uses a generator, a discriminator, and a feature extractor to embed hidden target-class features into benign samples, optimizing
3
The reported result is an ASR as high as 91.74% with only 7% poisoned samples on LFW and CASIA, while remaining resilient to autodecoder defense and DBSCAN cluster detection (Chen et al., 2021). The attack’s significance lies in its shift from patch-based backdoors to feature-space transfer.
Machine unlearning introduces a temporal variant of training-context poisoning. In Hidden Poison, the attacker first inserts a poison set 4 and a camouflage set 5, so that training on
6
appears benign. The attack is then activated by an unlearning request for 7, after which retraining on
8
reveals the poison. On CIFAR-10 with 9 and 0, poisoning success reached 100% with camouflaging success 80% on VGG-11, while validation accuracy remained close to clean baselines (Di et al., 2022). The distinctive feature is delayed activation rather than immediate corruption.
Instruction-tuning pipelines have produced a further generalization. Phantom Transfer generates Alpaca-scale data under a covert pro-target system prompt and a visible conciseness objective, then removes explicit references through regex filtering and repeated GPT-5-mini judging. The resulting poison transfers across teacher and student families, including into GPT-4.1, and survives even full-dataset paraphrasing with GPT-5.1-mini. Word-frequency defenses generally have true positive rates under 6%, and the paper concludes that the poison is distributed and non-local rather than concentrated in overt lexical markers (Draganov et al., 3 Feb 2026).
Cordyceps extends this line by teaching a model a semantic hiding scheme, “Semantic Hiding under Shared knowledge (SHuSh),” through poisoned fine-tuning data. The induced model can decode malicious instructions from benign-looking text about a shared semantic anchor. On OpenPromptInjection, the reported UCC “h” metric is about 0.712–0.737 across models; for covert data exfiltration, BCC CA is 0.78–0.93 at 10% poisoning, and the attack retains up to 93% attack success after backdoor defenses and up to 98% after prompt injection defenses (Shao et al., 26 May 2026). The attack therefore implants a covert control protocol rather than a fixed backdoor trigger.
3. In-context, online, and sequentially adaptive poisoning
A distinct branch of the literature studies poisoning at inference time, but not in the standard adversarial-example sense. In in-context learning, the demonstrations themselves constitute the effective training signal. ICLPoison formalizes the prediction as
1
and seeks discrete perturbations that maximize hidden-state distortion across layers. The framework instantiates synonym replacement, character replacement, and adversarial suffix attacks under a budget of 5 units. The reported degradation is large: for GPT-4 on SST-2, accuracy falls from 95.1% to 81.5% under synonym replacement, to 86.1% under character replacement, and to 82.3% under adversarial suffix; on Poem, accuracy falls from 72.4% to 56.7%, 60.9%, and 57.1%, respectively (He et al., 2024). Even partial poisoning remains effective, with more than 7% accuracy drop at 10% poisoning rate and around 15% at 20%.
In online adaptation, poisoned context can directly drive parameter drift. Lethean Attack targets Test-Time Training by feeding a sequence of crafted test-time samples whose auxiliary-loss gradients are harmful to the main task. The theoretical pivot is the sign of
2
which the attacker seeks to make negative. In the reported CIFAR-10 setup, the base TTT model reaches 90.2% test accuracy, but Lethean Attack is the only tested method that induces complete forgetting: after only a few dozen examples performance is heavily disrupted, and after about 1000 examples the model returns to coin-flip accuracy, approximately 10% on CIFAR-10 (Perry, 2020).
Sequential decision systems exhibit related vulnerabilities. In offline contextual bandits, reward poisoning can be solved as a convex quadratic program with linear constraints so that a chosen target arm 3 becomes optimal for a chosen target context 4. On Yahoo! News data, the reported attacks succeeded on all three attacked target contexts, requiring only 82, 9, and 19 reward flips for the most frequent, medium-frequency, and least frequent user vectors, respectively (Ma et al., 2018). A different attack class, action poisoning, manipulates the executed arm rather than the context or reward. Against LinUCB, the white-box attack can force the target arm to be pulled 5 times with 6 attack cost, while the black-box version incurs only an extra logarithmic factor, 7 (Liu et al., 2021). AdvBandit returns to explicit context poisoning in neural contextual bandits, using a MaxEnt IRL surrogate, PGD perturbations, and GP-UCB over attack parameters; the paper reports about 2.8× higher cumulative victim regret than the strongest baselines and a target pull ratio of roughly 0.47–0.55 on R-NeuralUCB (Telikani et al., 28 Feb 2026).
Industrial control systems add the complication of online retraining under concept drift. Here the poisoned context is the retraining stream itself. By spoofing sensor values that later enter retraining, an attacker can normalize future attacks in undercomplete autoencoder detectors. On synthetic data and SWaT, both interpolation-based and back-gradient-based poisoning succeed, with interpolation taking about 28–46 seconds per iteration and back-gradient about 53–84 seconds per iteration; increasing sequence length improves resistance with only a 2–4% drop in average F1 (Kravchik et al., 2020). The system is not attacked by a single malformed input, but by corruption of the temporal data context from which future normality is inferred.
4. Memory, plans, tool metadata, and cross-origin agent context
Agentic systems convert persistent state into a first-class context object, and recent attacks exploit exactly that property. In autonomous web agents, plan injection corrupts the stored plan representation 8 rather than the immediate prompt. The attacked state is
9
On the evaluated Browser-use and Agent-E agents, unprotected systems show over 80% attack success rates for both prompt injection and plan injection on the WebVoyager-Privacy benchmark, while plan injections achieve up to 3x higher attack success rates than comparable prompt-based attacks. Context-chained injections, which bridge the legitimate user goal to the attacker goal through semantically aligned intermediate steps, increase privacy-exfiltration success by 17.7% (Patlan et al., 18 Jun 2025). The key empirical result is that semantically plausible malicious plans survive prompt-oriented defenses better than obviously unrelated insertions.
Tool ecosystems add another layer. Threat modeling of MCP identifies 57 threats across the MCP ecosystem and assigns tool poisoning a DREAD score of 46.5/50, while prompt injection receives 50/50. Seven clients were tested; Cursor was found unsafe on all four attack types, whereas Claude Desktop and Cline were the most resilient overall (Huang et al., 23 Mar 2026). The attack primitive is not arbitrary code in the user prompt, but malicious instructions embedded in tool descriptions, schemas, or prompts that the client forwards to the model as trusted context.
A second MCP study broadens the taxonomy to tool poisoning, shadowing, and rug pulls, and treats shared descriptor context as the medium through which one tool can influence another. The paper evaluates GPT-4, DeepSeek, and Llama-3.5 across eight prompting strategies and reports that GPT-4 blocks about 71 percent of unsafe tool calls overall, DeepSeek reaches about 97% blocking against Shadowing attacks, and Llama-3.5 is fastest but least robust. Mean latency is reported as 1.95 s for GPT-4, 5.66 s for DeepSeek, and 0.65 s for Llama-3.5 (Jamshidi et al., 6 Dec 2025). The larger implication is that metadata integrity becomes a context-integrity problem.
Coding assistants reveal a related but distinct phenomenon. XOXO exploits the automatic retrieval of context from other files, projects, and contributors, then applies semantics-preserving code transformations that leave program behavior unchanged while shifting the assistant’s latent interpretation. The GCGS attack is reported to achieve a 75.72% attack success rate on average across five tasks and eleven models, including GPT 4.1 and Claude 3.5 Sonnet v2, and adversarial fine-tuning is reported to be ineffective (Štorek et al., 18 Mar 2025). Earlier neural code-completion poisoning had already shown that poisoning can be targeted to specific repositories or developers; for GPT-2-based autocompletion, untargeted model poisoning raised the top-1 rate of ECB mode from 0.0% to 100.0%, SSLv3 from 2.2% to 93.0%, and low-iteration PBE from 0.6% to 100.0%, while only slightly degrading overall utility (Schuster et al., 2020). In both cases, the attack relies on the model’s willingness to treat retrieved code context as an authoritative predictor of appropriate continuation.
5. Stealth, transfer, and persistence
A central theme in the literature is that effective context poisoning is often distributed, latent, or conditionally activated rather than overt. DeepPoison’s feature-transfer mechanism is explicitly designed so that poisoned samples are indistinguishable from benign ones by both defensive methods and manual visual inspection, and the paper emphasizes that even benign test samples can activate the attack (Chen et al., 2021). Phantom Transfer similarly argues that the successful signal is not concentrated in a handful of words: even fully paraphrasing every sample in the dataset with a different model does not stop the learned bias, and overt steering via activation-space steering vectors is reported to be much less effective than the subtler prompt-based poison (Draganov et al., 3 Feb 2026).
Cordyceps makes that intuition formal by modeling clean and poisoned semantic distributions as
0
so that the stegotext behaves like an additive semantic channel. The reported explainability checks support this picture: stegotext embeddings cluster around 1, and cosine similarities between true and recovered anchors exceed 0.996. Detection remains weak: ONION has TPR 0.063 at 5% FPR, and PromptGuard often has near-zero detection, around 0.005 (Shao et al., 26 May 2026).
Stealth also depends on not overconcentrating the malicious signal. In semi-supervised backdoor poisoning, moderate perturbation or interpolation strength is most effective because it balances target-concentrated poisons with confusing or low-confidence poisons; very strong perturbations spread pseudolabels too widely and weaken the attack (Connor et al., 2022). In BoTPA for federated learning, the same logic appears as an “Amplifier set” of intermediate classes that receive soft labels rather than hard relabeling. The reported median RI-ASR ranges from 15.3% to 36.9% across source-target combinations, indicating that poisoning auxiliary context around the source class can be more effective than attacking the source class alone (Sun et al., 2024).
Persistence can also be temporal rather than semantic. Hidden Poison is dormant until an unlearning request removes the camouflage set, after which retraining reveals the poison (Di et al., 2022). Lethean Attack persists through accumulated online updates, progressively destroying previously learned structure until catastrophic forgetting dominates (Perry, 2020). XOXO preserves external program semantics—CodeBLEU generally stays above 96—while redirecting model behavior, which means ordinary correctness checks may see no anomaly even though the assistant’s future completions have been corrupted (Štorek et al., 18 Mar 2025).
These results undermine a common misconception that poisoning must involve an obvious trigger or permanent degradation of general accuracy. Much of the recent literature instead shows selective, transfer-capable, and semantically camouflaged behavior.
6. Detection, mitigation, and unresolved problems
Defensive work reflects the diversity of attack surfaces. For conventional training-data poisoning, DIVA proposes a fully-agnostic detector that operates only on the potentially poisoned dataset, without a clean validation set. It builds a meta-database of rows of the form
2
using 22 normalized attributes and 5 additional standard-deviation attributes, then trains a ridge-regression meta-learner to predict hypothetical clean accuracy. Poisoning is flagged when the discrepancy
3
exceeds a threshold 4, with the heuristic
5
On label-flipping attacks and stochastic label noise, mean RMSEs are reported around 0.10 for SLN, 0.12 for Falfa, 0.11 for PoisSVM, and 0.12 for ALFA, and DIVA outperforms a kNN-based baseline, especially on harder datasets and higher poisoning rates (Chang et al., 2023). The limitation is explicit: the empirical validation is mainly on binary label-flipping settings, so the detector is relevant to data poisoning but not directly to prompt- or memory-level context poisoning in LLM agents.
Prompt-oriented defenses do not transfer cleanly to state-oriented attacks. In web agents, Secure and Sandwich significantly reduce prompt injection success, but plan injection remains effective; under defenses, Agent-E still exhibits a 46% plan-injection success rate, and Browser-use reaches up to 63% (Patlan et al., 18 Jun 2025). MCP defenses therefore move toward defense in depth. One proposal emphasizes static metadata analysis, model decision path tracking, behavioral anomaly detection, and user transparency (Huang et al., 23 Mar 2026). Another adds RSA-based manifest signing to enforce descriptor integrity, LLM-on-LLM semantic vetting for suspicious tool definitions, and lightweight heuristic runtime guardrails (Jamshidi et al., 6 Dec 2025). The shift is from filtering user text to protecting the integrity of the contextual substrate itself.
Other domains produce similarly localized mitigations. Lethean Attack suggests better auxiliary losses, correlation regularization to keep updates aligned with historical gradients, and confidence thresholding, though the paper states that threshold confidence slows down the attack but does not prevent it (Perry, 2020). Semi-supervised backdoor poisoning suggests filtering based on rapid pseudolabel changes and unstable pseudolabel trajectories rather than relying on supervised backdoor heuristics (Connor et al., 2022). For ICS anomaly detection, lower thresholds, longer temporal windows, and dual-detector configurations improve resilience, although none eliminates the poisoning risk without operational tradeoffs (Kravchik et al., 2020).
A recurring conclusion is that dataset-side filtering alone is often insufficient once poisoning becomes distributed and semantically encoded. Phantom Transfer states this explicitly, arguing that data-level defenses are insufficient and that future work should prioritize model audits and white-box security methods (Draganov et al., 3 Feb 2026). Taken together, the literature suggests that context poisoning is not a single bug class but a general integrity failure mode of systems that learn from, reason over, or act upon untrusted contextual state.