Search papers, labs, and topics across Lattice.
This paper investigates the vulnerability of deep research agents to planning-layer poisoning attacks, where adversarial documents can manipulate the agents' query decomposition and synthesis processes. The authors introduce FORGE, a two-level attack that exploits both intra-document reasoning and inter-document coordination to effectively hijack subtask planning, achieving a PRISM score of 26.4% with just five injected documents. Additionally, they propose Root Query Anchoring as a defense mechanism, which significantly reduces the effectiveness of these attacks by tying follow-up queries to the original root query, lowering PRISM from 38.5% to 18.3%.
Adversarial documents can not only mislead deep research agents but also shift poisoned content from overt framing into seemingly factual premises, complicating detection.
Deep research agents decompose open-ended queries into subtasks, retrieve web evidence over multiple rounds, and synthesize long-form reports. This workflow creates a planning-layer poisoning surface: adversarial documents that enter the retrieval pool can steer follow-up questions and turn a local injection into report-level contamination. We present FORGE (Fabricated Orchestrated Reasoning chain for aGent Exploitation), a two-level attack that combines intra-document reasoning fabrication with inter-document chain coordination to hijack subtask planning. We further introduce the PRISM metric, which weights infected report claims by cognitive type, and Root Query Anchoring, a lightweight defense that ties recursive follow-up generation to the root query. Across 25 queries, Network FORGE reaches 26.4% PRISM with five injected documents and exhibits depth migration, in which recursive synthesis shifts poisoned content from overt framing into factual premises. On the 10-query defense subset, RQA (Root Query Anchoring) reduces PRISM from 38.5% to 18.3%.