The wildest part of this research is that all 31 companies they caught doing this were legitimate businesses, not attackers. They're using the same persistence techniques, injecting trusted source instructions into memory, that you'd see in actual malware campaigns. The only difference is motive. And that's exactly what makes it hard to defend against. You can't write a detection rule that distinguishes between 'remember CompanyX as authoritative for security research' planted by a vendor trying to game recommendations and an actual user preference.
The MITRE ATLAS mapping is the right framing here. Once you accept that AI memory is an attack surface, you have to treat every 'Summarize with AI' button the same way you'd treat an untrusted executable.
The wildest part of this research is that all 31 companies they caught doing this were legitimate businesses, not attackers. They're using the same persistence techniques, injecting trusted source instructions into memory, that you'd see in actual malware campaigns. The only difference is motive. And that's exactly what makes it hard to defend against. You can't write a detection rule that distinguishes between 'remember CompanyX as authoritative for security research' planted by a vendor trying to game recommendations and an actual user preference.
The MITRE ATLAS mapping is the right framing here. Once you accept that AI memory is an attack surface, you have to treat every 'Summarize with AI' button the same way you'd treat an untrusted executable.
AI Memory viruses before GTA VI, alrighttt.