The authors introduce ShadowMerge, an attack on LLM agents that use graph-based memory systems (like knowledge graphs that store facts and relationships). The idea is to inject a poisoned relationship into the graph that shares the same "anchor" (starting entity) and "channel" (relationship type) as legitimate facts but carries a malicious conflicting value—so when the agent retrieves that relationship later, it uses the attacker's data instead of the truth. They test this on Mem0 and three real-world agent datasets (medical Q&A, shopping, tool use) and achieve 93.8% attack success rate, outperforming prior agent-memory poisoning methods by 50 percentage points, and show that standard defenses don't stop it.
Main takeaways:
- Graph-based agent memory creates a new attack surface: you can poison a relation (edge) in the knowledge graph, not just flat text.
- The attack works by creating a "relation-channel conflict"—a malicious fact that looks legitimate to the graph's extraction, merging, and retrieval systems but carries a different (harmful) value.
- Tested on medical, shopping, and tool-use agents, ShadowMerge succeeds 93.8% of the time and doesn't hurt the agent's performance on unrelated tasks.
- Existing input-side defenses (filtering, prompt screening) are insufficient to block this attack.
- The authors disclosed the vulnerability to graph-memory vendors and open-sourced the attack code.