Large language models are increasingly augmented with persistent memory, allowing assistants to store user-specific information across sessions for personalization and continuity. This statefulness introduces a new security risk: adversarial content can corrupt what an assistant remembers and thereby influence future interactions. We propose and study sleeper memory poisoning, a delayed attack in which an adversary manipulates external context, such as a document, webpage, or repository, to cause the assistant to store a fabricated memory about the user. Unlike conventional prompt injection, the attack can remain dormant and re-emerge across multiple later conversations. We evaluate the full attack pipeline: whether poisoned memories are written, later retrieved, and ultimately used to steer the following conversations. Across stateful LLM assistants, poisoned memories were added up to 99.8% on GPT-5.5 and 95% on Kimi-K2.6. Crucially, among successful retrievals, poisoned memories cause attacker-intended agentic actions in 60-89% of evaluations across models. These results show that persistent memory can act as a long-term attack surface across multiple future conversations.
@article{arxiv.2605.15338,
title = {Hidden in Memory: Sleeper Memory Poisoning in LLM Agents},
author = {Sidharth Pulipaka and Stanislau Hlebik and Leonidas Raghav and Sahar Abdelnabi and Vyas Raina and Ivaxi Sheth and Mario Fritz},
journal= {arXiv preprint arXiv:2605.15338},
year = {2026}
}