Silent Egress: When Implicit Prompt Injection Makes LLM Agents Leak Without a Trace
#Silent Egress #Prompt Injection #LLM Security #Data Exfiltration #AI Vulnerabilities #URL Manipulation #Agentic Systems
📌 Key Takeaways
- Researchers discovered 'Silent Egress' vulnerability in agentic LLM systems
- Malicious web pages can induce AI agents to leak data through URL previews
- Attack succeeds with 89% probability and bypasses 95% of safety checks
- System and network layer defenses are more effective than prompt-level protections
📖 Full Retelling
Researchers Qianlong Lan, Anuj Kaul, Shaun Jones, and Stephanie Westrum revealed a significant security vulnerability they term 'Silent Egress' in agentic large language model systems on February 25, 2026, demonstrating how malicious web pages can induce AI agents to exfiltrate sensitive data without leaving obvious traces in their responses. The research paper, published on arXiv, explores how agentic LLM systems that retrieve URLs and call external tools are vulnerable to implicit prompt injection through automatically generated URL previews including titles, metadata, and snippets. Using a fully local and reproducible testbed, the researchers demonstrated that a malicious web page can trick an agent into issuing outbound requests that leak sensitive runtime context, even when the final response to users appears completely harmless. In their experiments with a qwen2.5:7b-based agent across 480 runs, the attack succeeded with a probability of 0.89, with 95% of successful attacks bypassing output-based safety checks. The researchers also introduced a sophisticated technique called 'sharded exfiltration,' where sensitive information is split across multiple requests to avoid detection, which reduced single-request leakage metrics by 73% and bypassed simple data loss prevention mechanisms. Their findings indicate that defenses applied at the prompt layer offer limited protection, while controls at the system and network layers, such as domain allowlisting and redirect-chain analysis, are considerably more effective.
🏷️ Themes
AI Security, Prompt Injection, Data Exfiltration
📚 Related People & Topics
Data exfiltration
Unauthorized data transfer
Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation. Data exfiltration is also considered a form of data theft.
Entity Intersection Graph
Connections for Data exfiltration:
View full profileOriginal Source
--> Computer Science > Cryptography and Security arXiv:2602.22450 [Submitted on 25 Feb 2026] Title: Silent Egress: When Implicit Prompt Injection Makes LLM Agents Leak Without a Trace Authors: Qianlong Lan , Anuj Kaul , Shaun Jones , Stephanie Westrum View a PDF of the paper titled Silent Egress: When Implicit Prompt Injection Makes LLM Agents Leak Without a Trace, by Qianlong Lan and 3 other authors View PDF HTML Abstract: Agentic large language model systems increasingly automate tasks by retrieving URLs and calling external tools. We show that this workflow gives rise to implicit prompt injection: adversarial instructions embedded in automatically generated URL previews, including titles, metadata, and snippets, can introduce a system-level risk that we refer to as silent egress. Using a fully local and reproducible testbed, we demonstrate that a malicious web page can induce an agent to issue outbound requests that exfiltrate sensitive runtime context, even when the final response shown to the user appears harmless. In 480 experimental runs with a qwen2.5:7b-based agent, the attack succeeds with high probability egress) =0.89), and 95% of successful attacks are not detected by output-based safety checks. We also introduce sharded exfiltration, where sensitive information is split across multiple requests to avoid detection. This strategy reduces single-request leakage metrics by 73% (Leak@1) and bypasses simple data loss prevention mechanisms. Our ablation results indicate that defenses applied at the prompt layer offer limited protection, while controls at the system and network layers, such as domain allowlisting and redirect-chain analysis, are considerably more effective. These findings suggest that network egress should be treated as a first-class security outcome in agentic LLM systems. We outline architectural directions, including provenance tracking and capability isolation, that go beyond prompt-level hardening. Subjects: Cryptography and Security (cs....
Read full article at source