Definition
Plain language
An attack where someone plants a hidden instruction in an AI agent's saved memory, and it goes off later in a totally different person's session.
As stated in the literature
A two-step attack on stateful agents: an unsafe write places untrusted content into persistent storage, then a later session's normal reload reactivates it; the attacker need not be present and the victim is often a different user, analogous to stored XSS.
Why it matters: It means an agent can be compromised long after the attacker is gone and can harm people who never interacted with the attacker, making such attacks hard to trace and contain.
For example, an attacker leaves a hidden command in a shared customer-support agent's saved notes, and days later it triggers while the agent is helping an unrelated customer.
Heard on the show
“The authors give it a name — cross-session stored prompt injection.”Episode 113 — What If a Prompt Injection Never Left? Attacks That Wait in Agent Memory