🤖 AI Summary
This study addresses the vulnerability of current deep research agents to adversarial document contamination during multi-hop retrieval and subtask planning, which can systematically manipulate their final reports. The authors propose a two-tier attack strategy that forges internal reasoning chains within individual documents and coordinates logical dependencies across multiple documents, thereby propagating localized injections into global report-level distortions. This approach innovatively integrates intra-document reasoning fabrication with inter-document chain-coordination attacks. To evaluate such threats, the paper introduces the PRISM metric and a lightweight defense mechanism termed Root Query Anchoring (RQA). Experimental results demonstrate that injecting only five adversarial documents among 25 queries achieves a PRISM score of 26.4%, while RQA effectively reduces attack success rates from 38.5% to 18.3%.
📝 Abstract
Deep research agents decompose open-ended queries into subtasks, retrieve web evidence over multiple rounds, and synthesize long-form reports. This workflow creates a planning-layer poisoning surface: adversarial documents that enter the retrieval pool can steer follow-up questions and turn a local injection into report-level contamination. We present FORGE (Fabricated Orchestrated Reasoning chain for aGent Exploitation), a two-level attack that combines intra-document reasoning fabrication with inter-document chain coordination to hijack subtask planning. We further introduce the PRISM metric, which weights infected report claims by cognitive type, and Root Query Anchoring, a lightweight defense that ties recursive follow-up generation to the root query. Across 25 queries, Network FORGE reaches 26.4% PRISM with five injected documents and exhibits depth migration, in which recursive synthesis shifts poisoned content from overt framing into factual premises. On the 10-query defense subset, RQA (Root Query Anchoring) reduces PRISM from 38.5% to 18.3%.