-
1Initial access
Browsing agent fetches a poisoned webpage. Hidden adversarial instructions enter the agent's context.
Same trick as Lab 01; but this time it's just the foothold. The chain is what matters.
Try: agent "summarize https://localhost:8080/security-blog"
-
2Tool abuse
Injected payload triggers store_memory() and fetch() calls. C2 instructions are written to the vector DB.
Watch the Vector DB tab on the right. m_999 just got written; that's the persistent payload. The fetch is a C2 beacon.
Try: continue
-
3Persistence
Session is reset; terminal context cleared. New task starts fresh, but the agent queries the vector DB and the poisoned memory resurfaces.
This is the punchline of the whole lab. We just cleared the conversation. The agent badge flipped back to clean. Then a totally unrelated task; and the poisoned memory came back via similarity search and reinfected the agent.
Try: continue
-
4Lateral movement
Compromised browsing agent passes the payload to the coding agent via interagent messaging. Coding agent forwards to the executor.
Each agent ingests the interagent message as authoritative. Notice the "[HIDDEN PAYLOAD]" field in the Bus tab; recipients see it, the human never does.
Try: continue
-
5Exfiltration
Executor agent ships API keys, conversation history, and user PII to the attacker C2 endpoint.
Three agents compromised. One poisoned page upstream. Full APT kill chain (initial access, persistence, lateral movement, exfil) in five steps and about ninety seconds.
Try: continue