Persistence Attacks

Persistence attacks exploit an AI agent's write access to establish lasting backdoors or footholds that survive beyond the agent session, giving an attacker ongoing access to systems or the ability to influence future agent behavior.

Details

Unlike individual malicious actions (covered by tool misuse or unauthorized code execution), the defining characteristic of a persistence attack is the strategic intent to create durable access or influence. An attacker who gains temporary control of an agent - for example through prompt injection or goal manipulation - uses that window to plant artifacts that remain effective after the compromised session ends. The artifacts are often subtle and designed to blend in with legitimate system configuration.

Agents with broad file-system access, shell access, or deployment permissions (such as coding agents and DevOps agents) are especially susceptible, because they routinely perform the same kinds of write operations an attacker would use to establish persistence.

Examples

  • A compromised coding agent inserts a backdoor into source code that gets committed, reviewed as part of a large diff, and deployed to production.
  • An agent adds an attacker-controlled SSH key to ~/.ssh/authorized_keys or creates a new user account on a server.
  • A malicious instruction causes an agent to modify a CI/CD pipeline configuration, adding a step that exfiltrates secrets on every build.
  • An agent writes a cron job or scheduled task that periodically sends system information to an external endpoint.
  • Poisoned entries are planted in an agent's long-term memory or context store, causing the agent to behave maliciously in future sessions (see also context poisoning).

Mitigations

  • Sandboxing agent execution environments with restricted write access
  • File integrity monitoring and diff review for agent-produced changes
  • Least-privilege permissions, especially for file-system, shell, and deployment tools
  • Observability on persistent artifacts created by agents (files, credentials, scheduled tasks, configuration changes)
  • Ephemeral execution environments that are discarded after each session