FARMA: a memory-poisoning attack that forges an agent's own decision logs, not its retrieved facts
Summary
FARMA is a novel memory-poisoning attack that targets an agent's own decision logs rather than retrieved facts, achieving 100% attack success against undefended and defended systems, with the authors' defense SENTINEL reducing success to 0% but remaining vulnerable to adaptive attackers.
Similar Articles
When Agents Remember Too Much: Memory Poisoning Attacks on Large Language Model Agents
This paper introduces GhostWriter, a novel attack vector that exploits memory subsystems in LLM-powered personal agents to poison their memory store, achieving high injection and activation rates. The authors propose AM-Sentry, a defense that significantly reduces attack success while maintaining agent utility.
MemAudit: Post-hoc Auditing of Poisoned Agent Memory via Causal Attribution and Structural Anomaly Detection
MemAudit is a post-hoc auditing framework for memory-augmented LLM agents that identifies poisoned memories by combining counterfactual influence scores and structural anomaly detection, reducing attack success rates from over 70% to 0% in realistic scenarios.
Agent memory is not just RAG over user facts
The article argues that simple RAG-based agent memory systems fail in production due to issues like stale preferences, missed keywords, and prompt injection, and advocates for a layered memory architecture with active selection, deterministic fallback, governance, and testing.
My agents kept remembering things that weren't true — 4 dry-runs later, here's the gate that keeps false memories at zero
An agent builder describes a memory layer that prevents false facts by requiring verbatim source quotes and tracking when facts become true, achieving zero false memories across stress tests despite extraction failures.
Honest Lying: Understanding Memory Confabulation in Reflexive Agents
This paper identifies memory confabulation in Reflexion-style agents, where agents store incorrect task interpretations and persist in errors across environment resets. The authors introduce the Reflection Repetition Rate (RRR) metric to detect this and propose a mitigation that replaces open-ended self-diagnosis with programmatic failure signal extraction.