This work addresses critical security vulnerabilities in the long-term memory systems of contemporary large language model agents, which, despite incorporating selective retrieval and rewriting mechanisms, remain susceptible to adversarial manipulation. The paper introduces MemPoison, a novel attack method that achieves highly effective memory poisoning within real-world memory pipelines for the first time. By leveraging semantic association bridges, named entity cloaking, and joint optimization in embedding space, MemPoison stealthily injects triggerable backdoors into long-term memory while evading detection by selective mechanisms. Extensive experiments demonstrate that the attack attains a success rate of up to 0.95 across diverse agent architectures and memory systems, substantially outperforming baseline approaches. Furthermore, the study uncovers fundamental weaknesses in selective memory systems, particularly their susceptibility stemming from embedding anisotropy and attention distribution biases.

Large language model (LLM) agents increasingly leverage long term memory to support persistent and autonomous task execution. However, this capability also introduces a new attack surface: memory poisoning, where adversaries can inject malicious information to influence future behavior. Existing memory poisoning attacks often assume that injected content can be stored directly in memory, overlooking the selective extraction and rewriting stages in modern memory pipelines. This makes prior methods ineffective under realistic settings. In this paper, we propose MemPoison, a novel memory poisoning attack that bypasses selective memory mechanisms in LLM agents, where an attacker can inject triggerable backdoors into the agent's long-term memory through dialogue interactions, thereby misleading its subsequent responses. MemPoison introduces three key components: (i) a semantic relational bridge that binds the trigger and payload into a coherent statement to ensure they are extracted into memory together; (ii) entity masquerading that optimizes triggers to mimic named entities, resisting rewriting; and (iii) joint embedding optimization that shapes trigger-injected texts into a tight cluster in the embedding space while maintaining isolation from benign embeddings for stealth. Evaluations across different agent domains and memory mechanisms show MemPoison achieves attack success rates up to 0.95, outperforming existing baselines. Mechanistic analysis indicates that the attack exploits embedding-space anisotropy and shifts attention patterns, highlighting core vulnerabilities in selective memory systems. We evaluate multiple defense strategies and demonstrate their fundamental limitations in mitigating the attack.