Plant, Persist, Trigger: Sleeper Attack on Large Language Model Agents
Researchers have identified a new class of safety threat against large language model agents, called Sleeper Attack, in which adversarial content can lie dormant across user interactions before being triggered by a benign query, according to a paper posted to arXiv on 27 May 2026 [1]. The study formalizes a vulnerability that extends beyond single-interaction attacks, where an agent observes malicious input and immediately produces harmful output [1]. Instead, Sleeper Attack allows injected adversarial content to persist in the agent’s state — such as session context, memory, or reusable skills — remaining inactive until a later, harmless-looking user request activates it [1]. This persistence across interactions makes the threat harder to detect and mitigate [1]. The researchers constructed a benchmark of 1,896 instances to evaluate the attack [1]. The benchmark covers six real-world harmful outcomes, three attack strategies, and three agent state targets [1]. Experiments were conducted on seven strong open-source and closed-source large language models [1]. The results showed that state-of-the-art LLM agents remained vulnerable to Sleeper Attack, even when those same agents achieved low attack success rates under a single-interaction baseline [1]. AI safety is an interdisciplinary field concerned with preventing accidents, misuse, and other harmful consequences from artificial intelligence systems [3]. It includes work on AI alignment, risk monitoring, and robustness [3]. The field gained significant attention in 2023 alongside rapid advances in generative AI, leading the United States and the United Kingdom to each establish an AI Safety Institute during that year’s AI Safety Summit [3]. Despite these institutional efforts, researchers have expressed concern that safety measures are not keeping pace with the speed of AI capability development [3]. The Sleeper Attack paper contributes to this broader safety discussion by demonstrating a threat model that exploits the multi-turn, stateful nature of deployed LLM agents [1]. The authors note that attackers can inject adversarial content through external observations such as tool-returned data, webpages, or Model Context Protocol context [1]. The paper’s code and data have been made publicly available [1].
applicationsafety-researchcontroversyresearch-paperbenchmarkmodel-releaseproduct-launchtool-release
Background sources we checked (4)
- arxiv.org ↗ Large Language Model (LLM) agents remain vulnerable to safety threats from the external environment, where attackers inject adversarial content into external observations such as tool-returned data, webpages, or MCP context, causing harmful agentic behaviors such as unsafe action…
- en.wikipedia.org ↗ AI safety is an interdisciplinary field focused on preventing accidents, misuse, or other harmful consequences arising from artificial intelligence systems. It encompasses AI alignment (which aims to ensure AI systems behave as intended), monitoring AI systems for risks, and enha…
- en.wikipedia.org ↗ The Midwestern United States (also referred to as the Midwest, the Heartland, the American Midwest, Middle America, or, datedly, the Middle West) is one of the four census regions defined by the United States Census Bureau. It occupies the northern central part of the United Stat…
- en.wikipedia.org ↗ Pan Am Flight 103 was a regularly scheduled Pan Am transatlantic flight from Frankfurt to Detroit via a stopover in London and another in New York City. Shortly after 19:00 on 21 December 1988, the Boeing 747 Clipper Maid of the Seas was destroyed by a bomb while flying over the …
Sources
- export.arxiv.org — Plant, Persist, Trigger: Sleeper Attack on Large Language Model Agents ↗