{"ID":5937268,"CreatedAt":"2026-07-07T03:14:33.014478982Z","UpdatedAt":"2026-07-09T06:32:06.70555396Z","DeletedAt":null,"paper_url":"https://arxiv.org/abs/2607.04718","arxiv_id":"2607.04718","title":"FORGE: Research-Trajectory Hijacking Attacks on Deep Research Agents","abstract":"Deep research agents decompose open-ended queries into subtasks, retrieve web evidence over multiple rounds, and synthesize long-form reports. This workflow creates a planning-layer poisoning surface: adversarial documents that enter the retrieval pool can steer follow-up questions and turn a local injection into report-level contamination. We present FORGE (Fabricated Orchestrated Reasoning chain for aGent Exploitation), a two-level attack that combines intra-document reasoning fabrication with inter-document chain coordination to hijack subtask planning. We further introduce the PRISM metric, which weights infected report claims by cognitive type, and Root Query Anchoring, a lightweight defense that ties recursive follow-up generation to the root query. Across 25 queries, Network FORGE reaches 26.4% PRISM with five injected documents and exhibits depth migration, in which recursive synthesis shifts poisoned content from overt framing into factual premises. On the 10-query defense subset, RQA (Root Query Anchoring) reduces PRISM from 38.5% to 18.3%.","short_abstract":"Deep research agents decompose open-ended queries into subtasks, retrieve web evidence over multiple rounds, and synthesize long-form reports. This workflow creates a planning-layer poisoning surface: adversarial documents that enter the retrieval pool can steer follow-up questions and turn a local injection into repor...","url_abs":"https://arxiv.org/abs/2607.04718","url_pdf":"https://arxiv.org/pdf/2607.04718v1","authors":"[\"Yue Pan\",\"Ziheng Zhang\",\"Junxiang Lei\",\"Changhao Jia\",\"Qingyi Si\",\"Hongcheng Guo\"]","published":"2026-07-06T06:43:21Z","proceeding":"cs.AI","tasks":"[\"cs.AI\"]","methods":"[]","has_code":false}
