This study addresses a critical vulnerability in deep research agents that heavily rely on user-generated content (UGC), revealing how their multi-hop retrieval mechanisms create a concentrated attack surface. The work systematically demonstrates, for the first time, that adversaries can compromise such agents by injecting carefully crafted text into a single, frequently retrieved UGC page, thereby manipulating outputs across numerous related queries and promoting specific entities at scale. The proposed poisoning attack paradigm is validated on real-world systems including STORM, Co-STORM, and OmniThink. Evaluations of defensive strategies—such as source-side filtering and output detection—show that current countermeasures offer limited protection, underscoring a fundamental flaw in these agents’ ability to integrate trustworthy information.

Deep-research agents, i.e., systems that rely on multi-agent pipelines to iteratively retrieve, synthesize, and cite Web content in order to produce structured reports, are rapidly replacing traditional search for both routine and complex information needs. These agents issue many related queries during a single research session. We show that for many common search topics, they repeatedly retrieve the same user-generated content (UGC) pages from platforms such as Reddit and Wikipedia. Next, we argue that this retrieval overlap creates a concentrated attack surface: an adversary who appends a short, crafted text to a single, frequently retrieved UGC page can cause the agent to cite attacker-chosen content and promote attacker-chosen entities across many related queries. We evaluate this attack on three representative deep-research systems (STORM, Co-STORM, and OmniThink) across multiple query clusters. We also study defenses at different stages of the pipeline, including source-level filtering and output-based detection. Our findings highlight a fundamental vulnerability in how deep-research agents retrieve and integrate web content.