{"id":"https://openalex.org/W7130711825","doi":"https://doi.org/10.48550/arxiv.2602.16958","title":"Automating Agent Hijacking via Structural Template Injection","display_name":"Automating Agent Hijacking via Structural Template Injection","publication_year":2026,"publication_date":"2026-02-18","ids":{"openalex":"https://openalex.org/W7130711825","doi":"https://doi.org/10.48550/arxiv.2602.16958"},"language":null,"primary_location":{"id":"pmh:doi:10.48550/arxiv.2602.16958","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":null,"any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5126468025","display_name":"Xinhao Deng","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Deng, Xinhao","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5126459609","display_name":"Jiaqing Wu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wu, Jiaqing","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5126498227","display_name":"Miao Chen","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chen, Miao","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5126503163","display_name":"Yue Xiao","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xiao, Yue","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5126466486","display_name":"Ke Xu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xu, Ke","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5126461042","display_name":"Qi Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Qi","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":0,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.5839999914169312,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.5839999914169312,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.06239999830722809,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.05700000002980232,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/transferability","display_name":"Transferability","score":0.6802999973297119},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.5982999801635742},{"id":"https://openalex.org/keywords/template","display_name":"Template","score":0.4925999939441681},{"id":"https://openalex.org/keywords/confusion","display_name":"Confusion","score":0.46810001134872437},{"id":"https://openalex.org/keywords/benchmarking","display_name":"Benchmarking","score":0.37779998779296875},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.3626999855041504},{"id":"https://openalex.org/keywords/autoencoder","display_name":"Autoencoder","score":0.2955999970436096}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8658999800682068},{"id":"https://openalex.org/C61272859","wikidata":"https://www.wikidata.org/wiki/Q7834031","display_name":"Transferability","level":3,"score":0.6802999973297119},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.5982999801635742},{"id":"https://openalex.org/C82714645","wikidata":"https://www.wikidata.org/wiki/Q438331","display_name":"Template","level":2,"score":0.4925999939441681},{"id":"https://openalex.org/C2781140086","wikidata":"https://www.wikidata.org/wiki/Q557945","display_name":"Confusion","level":2,"score":0.46810001134872437},{"id":"https://openalex.org/C86251818","wikidata":"https://www.wikidata.org/wiki/Q816754","display_name":"Benchmarking","level":2,"score":0.37779998779296875},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.3626999855041504},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.35910001397132874},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.34049999713897705},{"id":"https://openalex.org/C101738243","wikidata":"https://www.wikidata.org/wiki/Q786435","display_name":"Autoencoder","level":3,"score":0.2955999970436096},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.28540000319480896},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.2728999853134155},{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.2727999985218048},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.27140000462532043},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.2703999876976013},{"id":"https://openalex.org/C36503486","wikidata":"https://www.wikidata.org/wiki/Q11235244","display_name":"Domain (mathematical analysis)","level":2,"score":0.26420000195503235},{"id":"https://openalex.org/C2780741293","wikidata":"https://www.wikidata.org/wiki/Q4818019","display_name":"Attack patterns","level":3,"score":0.26269999146461487},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.2583000063896179}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:doi:10.48550/arxiv.2602.16958","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},{"id":"doi:10.48550/arxiv.2602.16958","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2602.16958","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"Preprint"}],"best_oa_location":{"id":"pmh:doi:10.48550/arxiv.2602.16958","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Agent":[0],"hijacking,":[1],"highlighted":[2],"by":[3,21,225],"OWASP":[4],"as":[5,119],"a":[6,136,155,164],"critical":[7],"threat":[8],"to":[9,18,48,89,114,148,159,174],"the":[10,70,103,112,116,228],"Large":[11],"Language":[12],"Model":[13],"(LLM)":[14],"ecosystem,":[15],"enables":[16],"adversaries":[17],"manipulate":[19],"execution":[20],"injecting":[22,98],"malicious":[23],"instructions":[24,122],"into":[25,102,163,183],"retrieved":[26,104],"content.":[27],"Most":[28],"existing":[29,200],"attacks":[30],"rely":[31,83],"on":[32,84,189],"manually":[33],"crafted,":[34],"semantics-driven":[35],"prompt":[36],"manipulation,":[37],"which":[38],"often":[39],"yields":[40],"low":[41],"attack":[42,129,138],"success":[43],"rates":[44],"and":[45,94,110,152,192,208,235],"limited":[46],"transferability":[47,130],"closed-source":[49],"commercial":[50,219],"models.":[51],"In":[52],"this":[53],"paper,":[54],"we":[55,106,170,212],"propose":[56],"Phantom,":[57],"an":[58,237],"automated":[59],"agent":[60,113],"hijacking":[61,234],"framework":[62,197],"built":[63],"upon":[64],"Structured":[65],"Template":[66,156],"Injection":[67],"that":[68,81,180,195,221],"targets":[69],"fundamental":[71],"architectural":[72],"mechanisms":[73],"of":[74,231],"LLM":[75],"agents.":[76],"Our":[77],"key":[78],"insight":[79],"is":[80],"agents":[82],"specific":[85],"chat":[86],"template":[87,139,146],"tokens":[88],"separate":[90],"system,":[91],"user,":[92],"assistant,":[93],"tool":[95,125],"instructions.":[96],"By":[97],"optimized":[99],"structured":[100,185,232],"templates":[101,162],"context,":[105],"induce":[107],"role":[108],"confusion":[109],"cause":[111],"misinterpret":[115],"injected":[117],"content":[118],"legitimate":[120],"user":[121],"or":[123],"prior":[124],"outputs.":[126],"To":[127],"enhance":[128],"against":[131],"black-box":[132],"agents,":[133],"Phantom":[134],"introduces":[135],"novel":[137],"search":[140],"framework.":[141],"We":[142],"first":[143],"perform":[144],"multi-level":[145],"augmentation":[147],"increase":[149],"structural":[150],"diversity":[151],"then":[153],"train":[154],"Autoencoder":[157],"(TAE)":[158],"embed":[160],"discrete":[161],"continuous,":[165],"searchable":[166],"latent":[167],"space.":[168],"Subsequently,":[169],"apply":[171],"Bayesian":[172],"optimization":[173],"efficiently":[175],"identify":[176],"optimal":[177],"adversarial":[178],"vectors":[179],"are":[181],"decoded":[182],"high-potency":[184],"templates.":[186],"Extensive":[187],"experiments":[188],"Qwen,":[190],"GPT,":[191],"Gemini":[193],"demonstrate":[194],"our":[196],"significantly":[198],"outperforms":[199],"baselines":[201],"in":[202,217],"both":[203],"Attack":[204],"Success":[205],"Rate":[206],"(ASR)":[207],"query":[209],"efficiency.":[210],"Moreover,":[211],"identified":[213],"over":[214],"70":[215],"vulnerabilities":[216],"real-world":[218],"products":[220],"have":[222],"been":[223],"confirmed":[224],"vendors,":[226],"underscoring":[227],"practical":[229],"severity":[230],"template-based":[233],"providing":[236],"empirical":[238],"foundation":[239],"for":[240],"securing":[241],"next-generation":[242],"agentic":[243],"systems.":[244]},"counts_by_year":[],"updated_date":"2026-07-01T08:55:40.977307","created_date":"2026-02-21T00:00:00"}
