According to Dark Reading, researchers from Radware have created a new exploit chain dubbed “ZombieAgent” that weaponizes ChatGPT’s latest connector and memory features. The attack demonstrates that indirect prompt injection (IPI) attacks can be made more persistent and widespread than previously thought. The core vulnerability involves tricking a ChatGPT agent connected to a service like email into reading hidden, malicious instructions, which can then be stored in its long-term memory. In one experiment, researchers planted a memory via an email attachment that instructed the AI to record any sensitive information the user shared from that point forward. OpenAI acknowledged the findings and, a few months after disclosure, implemented a fix that blocks data exfiltration by preventing ChatGPT from accessing attacker-supplied URLs. However, Radware’s director of threat intelligence, Pascal Geenens, argues that simple policy updates are insufficient for the deeper structural issues at play.
The Baby With a Massive Brain
Here’s the thing that’s both fascinating and terrifying: the most sophisticated attacks on these AI systems often boil down to just talking to them. Geenens’s analogy of AI as “a baby with a massive brain” is painfully accurate. It has all this knowledge and access, but zero innate skepticism or understanding of intent. You don’t need to be a master coder exploiting a buffer overflow. You just need to be persuasive in plain English. The fact that Radware’s researchers didn’t even need to disguise their malicious prompts with clever language is a damning indictment of the current state of AI security. The system reads your email, sees a command, and just… obeys. That’s a fundamental design flaw, not a simple bug.
Why the Fix is Only a Bandage
OpenAI’s response—blocking dynamic URLs and untrusted domains—is a classic example of playing whack-a-mole. It shuts down the specific exfiltration method Radware demonstrated, which is good. But does it solve prompt injection? Not even close. All it does is break one step in the attack chain. The AI is still perfectly capable of reading and acting on malicious instructions from your documents or emails. It could be told to subtly alter your calendar appointments, rewrite your sensitive documents with incorrect data, or send bizarre replies to your colleagues. The injection still works; the exfiltration just got a bit harder. Geenens’s proposed two-tier trust model, where user prompts are trusted more than ingested content, seems like a no-brainer starting point. But even that doesn’t address the core issue: the AI’s inability to contextualize intent and recognize when a task has wildly diverged from the user’s original request.
A Persistent New Threat Model
This is where the “memory” feature changes the game entirely. Before, an IPI attack was a one-off event. You trick the AI while it’s summarizing an email, it exfiltrates data once, and it’s over. Now? An attacker can plant a sleeper agent in your ChatGPT‘s brain. That malicious memory sits there, dormant, waiting. Every single interaction you have with that AI agent from then on could be compromised. It turns a hit-and-run attack into a persistent, ongoing breach. And think about the connector feature’s reach. This isn’t just about your email. It’s about your CRM, your project management tools, your cloud storage. If an AI agent has access to it, a well-crafted prompt injection could potentially worm its way through an entire organization’s connected data ecosystem. The scale of potential damage is enormous, and it’s limited only by the AI’s permissions and the attacker’s creativity.
What Happens Next?
So where does this leave us? The cat-and-mouse game has officially begun in earnest. AI companies are in a tough spot. They’re racing to add useful, sticky features like memory and connectors to stay competitive, but each new feature introduces a new attack surface that their fundamentally gullible models aren’t equipped to handle. For enterprise users, the takeaway is brutal: extreme caution. Connecting a powerful, naive AI to your critical business data is a massive risk. You’re essentially giving a super-powered, suggestible intern the keys to the kingdom. Until these systems can truly understand context and intent—a problem that might not be solved for years—the onus is on users to lock down integrations and assume that anything the AI reads could be turned against them. It’s a weird new world where security isn’t about firewalls and encryption, but about conversational nuance and trust. And we’re hilariously bad at teaching that to machines.
