Incident · curated 27 Jun 2026
First reported 8 Jun 2026 · 18d ago
Single-source incident — first reported, latest, and curated coincide.
It shows how a company's own internal knowledge base becomes an attack surface, where any indexed document can carry instructions that an AI assistant will execute, expanding the trust boundary to a supply-chain problem.
A technical write-up explaining how indirect prompt injection works in RAG agentic systems, where retrieved documents (Confluence pages, Jira tickets, HR docs) land in the model's context with no trust boundary, allowing a single poisoned document to manipulate agent behavior and exfiltrate sensitive data. Includes a demonstration repository and production mitigation discussion.
Why it matters
It shows how a company's own internal knowledge base becomes an attack surface, where any indexed document can carry instructions that an AI assistant will execute, expanding the trust boundary to a supply-chain problem.