attack 2026

Your LLM Agent Can Leak Your Data: Data Exfiltration via Backdoored Tool Use

Wuyang Zhang , Shichao Pei

University of Massachusetts Boston

0 citations
α

Published on arXiv

2604.05432

Model Poisoning

OWASP ML Top 10 — ML10

Sensitive Information Disclosure

OWASP LLM Top 10 — LLM06

Insecure Plugin Design

OWASP LLM Top 10 — LLM07

Key Finding

Backdoored agents successfully exfiltrate sensitive user context through memory-access tool calls when semantically triggered, with multi-turn interactions enabling cumulative data leakage

Back-Reveal

Novel technique introduced

Tool-use large language model (LLM) agents are increasingly deployed to support sensitive workflows, relying on tool calls for retrieval, external API access, and session memory management. While prior research has examined various threats, the risk of systematic data exfiltration by backdoored agents remains underexplored. In this work, we present Back-Reveal, a data exfiltration attack that embeds semantic triggers into fine-tuned LLM agents. When triggered, the backdoored agent invokes memory-access tool calls to retrieve stored user context and exfiltrates it via disguised retrieval tool calls. We further demonstrate that multi-turn interaction amplifies the impact of data exfiltration, as attacker-controlled retrieval responses can subtly steer subsequent agent behavior and user interactions, enabling sustained and cumulative information leakage over time. Our experimental results expose a critical vulnerability in LLM agents with tool access and highlight the need for defenses against exfiltration-oriented backdoors.

Key Contributions

  • Back-Reveal attack: semantic backdoor trigger that causes LLM agents to exfiltrate user data via disguised tool calls
  • Demonstrates multi-turn amplification where exfiltrated data enables sustained information leakage across sessions
  • Reveals critical vulnerability in tool-using LLM agents with memory and retrieval capabilities

🛡️ Threat Analysis

Model Poisoning

Embeds a backdoor in fine-tuned LLM agents with semantic triggers that activate hidden malicious behavior (data exfiltration via tool calls) — classic trojan/backdoor attack.

Details

Domains
nlp
Model Types
llm
Threat Tags
training_timeinference_timetargeted
Applications
llm agentstool-use agentsmemory-augmented assistants
Read PDF arXiv

Similar Papers

attack

Collaborative Shadows: Distributed Backdoor Attacks in LLM-Based Multi-Agent Systems

2025 0 cit.
Model Poisoning
71%
attack

Hide and Seek in Embedding Space: Geometry-based Steganography and Detection in Large Language Models

2026 0 cit.
Model Poisoning
67%
attack

IntentMiner: Intent Inversion Attack via Tool Call Analysis in the Model Context Protocol

2025 0 cit.
65%
attack

Mind Your Server: A Systematic Study of Parasitic Toolchain Attacks on the MCP Ecosystem

2025 0 cit.
60%
attack

Forgetting to Forget: Attention Sink as A Gateway for Backdooring LLM Unlearning

2025 1 cit.
Model Poisoning
59%
defense

SplitAgent: A Privacy-Preserving Distributed Architecture for Enterprise-Cloud Agent Collaboration

2026 0 cit.
56%
attack

Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain

2026 0 cit.
AI Supply Chain Attacks
55%
attack

Red-Teaming Coding Agents from a Tool-Invocation Perspective: An Empirical Security Assessment

2025 0 cit.
55%