MURMUR: Using cross-user chatter to break collaborative language agents in groups

Language agents are rapidly expanding from single-user assistants to multi-user collaborators in shared workspaces and groups. However, today's language models lack a mechanism for isolating user interactions and concurrent tasks, creating a new attack vector inherent to this new setting: cross-user poisoning (CUP). In a CUP attack, an adversary injects ordinary-looking messages that poison the persistent, shared state, which later triggers the agent to execute unintended, attacker-specified actions on behalf of benign users. We validate CUP on real systems, successfully attacking popular multi-user agents. To study the phenomenon systematically, we present MURMUR, a framework that composes single-user tasks into concurrent, group-based scenarios using an LLM to generate realistic, history-aware user interactions. We observe that CUP attacks succeed at high rates and their effects persist across multiple tasks, thus posing fundamental risks to multi-user LLM deployments. Finally, we introduce a first-step defense with task-based clustering to mitigate this new class of vulnerability

Key Contributions

• Identifies and formalizes cross-user poisoning (CUP), a new attack class exploiting shared persistent state in multi-user LLM agent deployments
• Introduces MURMUR, a framework that synthesizes realistic concurrent multi-user scenarios from single-user benchmarks using an LLM user-generator to evaluate CUP attacks systematically
• Demonstrates CUP on real systems (ElizaOS across Discord and X including confirmed Sepolia blockchain transaction) and proposes a first-step defense via task-based clustering

🛡️ Threat Analysis

Details

Similar Papers