Definition
Plain language
An attack that splits a harmful instruction into innocent-looking pieces scattered across separate files, so the AI itself assembles the dangerous whole.
As stated in the literature
A distributed injection technique where no single file or input contains the malicious instruction; inert fragments (a target identifier, a policy exception, a copy-ready block) are placed separately and only become harmful when an agent combines them during normal work, defeating per-file scanners.
Why it matters: It defeats security scanners that check files one at a time, because no single piece looks malicious until the agent assembles them during ordinary work.
For example, one file names a target, another quietly grants an exception, and a third holds a ready-to-run block — each harmless alone, but dangerous once the agent stitches them together.
Heard on the show
“There's a version of the attack I love that makes this concrete — they call it a fragmented payload.”Episode 105 — The Trojan Is Your Agent's Memory: Why Single-Step Defenses Miss Persistent Attacks