CompressionAttack: Exploiting Prompt Compression as a New Attack Surface in LLM-Powered Agents

LLM-powered agents often use prompt compression to reduce inference costs, but this introduces a new security risk. Compression modules, which are optimized for efficiency rather than safety, can be manipulated by adversarial inputs, causing semantic drift and altering LLM behavior. This work identifies prompt compression as a novel attack surface and presents CompressionAttack, the first framework to exploit it. CompressionAttack includes two strategies: HardCom, which uses discrete adversarial edits for hard compression, and SoftCom, which performs latent-space perturbations for soft compression. Experiments on multiple LLMs show up to an average ASR of 83% and 87% in two tasks, while remaining highly stealthy and transferable. Case studies in three practical scenarios confirm real-world impact, and current defenses prove ineffective, highlighting the need for stronger protections.

Key Contributions

Identifies prompt compression as a novel, previously unexplored attack surface in LLM-powered agent pipelines.
Proposes HardCom (discrete adversarial edits for hard/extractive compression) and SoftCom (latent-space perturbations for soft/neural compression) as two complementary attack strategies.
Demonstrates up to 83–87% average attack success rate across multiple LLMs and three practical deployment scenarios, with existing defenses proving ineffective.

🛡️ Threat Analysis

Input Manipulation Attack

SoftCom performs gradient-based latent-space perturbations on the compression model (an ML component), and HardCom applies discrete adversarial edits — both are input manipulation attacks targeting the compression module as an ML inference-time attack surface, causing semantic drift that alters downstream LLM outputs.

Details

Domains

nlp

Model Types

llmtransformer

Threat Tags

white_boxgrey_boxinference_timetargeteddigital

Applications

2025 0 cit.

Input Manipulation Attack

94%