Frostfire conducts vulnerability research and exploit development against agent frameworks, model context protocols, retrieval pipelines, and multimodal ingestion pipelines.
Our research focuses on self-propagating prompts in AI agent systems — “LLM worms” — across four propagation surfaces.
Model Context Protocol implementations treat tool descriptions and tool responses as trusted developer metadata. We construct adversarial payloads embedded in those fields that re-execute when a downstream agent connects to the same server. Targets include tool description strings, parameter schemas, return payloads, and MCP federation chains where a single compromise propagates across multiple agent ecosystems.
Vision-capable models parse pixel content, OCR-extracted text, PDF object streams, and transcribed audio as instructions. We construct adversarial payloads in modalities that humans inspect as data: alpha-channel steganography, hidden PDF text layers, EXIF metadata, and ultrasonic audio carriers. The text-side input sanitization layer never sees the payload.
Cooperating agents in LangGraph, AutoGen, and CrewAI route messages and share persistent state across roles. We exploit the implicit trust boundary between agents: a payload landed in one agent’s context propagates to the next through handoff messages, role delegation, or shared memory stores. State persists across runs — re-infection on the next session is automatic in default configurations.
RAG indexes are writable by ingestion pipelines and, in many deployments, by the agent itself. We construct poisoned embeddings that surface on broad query classes through semantic collision and mimicry, then propagate by inducing the agent to write generated content back to the index. One poisoned ingestion persists indefinitely and infects every downstream consumer.