Inferensys

Glossary

Corpus Poisoning

A large-scale attack where an adversary seeds the public web with malicious documents, knowing they will be crawled, indexed, and retrieved by agents for RAG grounding.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
LARGE-SCALE DATA POISONING

What is Corpus Poisoning?

Corpus poisoning is a supply-chain attack targeting retrieval-augmented generation (RAG) systems by seeding the public web with malicious documents designed to be crawled, indexed, and retrieved as authoritative grounding context.

Corpus poisoning is a large-scale adversarial attack where an attacker publishes malicious documents to the public web with the specific intent that they will be crawled by search indexers and subsequently retrieved by AI agents during retrieval-augmented generation (RAG). Unlike targeted injection, this attack exploits the open nature of web-scale corpora, poisoning the training or retrieval supply chain at its source to manipulate agent reasoning and outputs.

The attacker leverages search engine optimization (SEO) techniques and domain authority spoofing to ensure their poisoned documents rank highly in semantic search results. When an agent retrieves these documents as grounding context, the embedded malicious instructions or factual distortions are treated as trusted data, enabling indirect prompt injection, misinformation propagation, or the systematic corruption of agent knowledge bases at scale.

CORPUS POISONING

Common Attack Vectors

A large-scale attack where an adversary seeds the public web with malicious documents, knowing they will be crawled, indexed, and retrieved by agents for RAG grounding.

01

Strategic Web Seeding

The attacker publishes malicious content on high-authority domains they control or compromise. This content is designed to rank for specific keywords that the target agent's RAG pipeline is likely to query. SEO poisoning techniques ensure these documents appear in top search results or are indexed by common crawl datasets. The goal is not to attack a single user but to contaminate the shared knowledge foundation that all downstream agents rely on.

02

Semantic Trigger Planting

Malicious documents are crafted with adversarial triggers—specific phrases or questions that activate hidden instructions. When an agent retrieves and reads this document in response to a user query, the trigger causes the agent to execute unintended actions. This is a form of delayed indirect prompt injection, where the payload lies dormant on the public web until a retrieval event activates it.

03

Temporal Content Manipulation

Attackers exploit the crawl-refresh gap—the time between when a search engine indexes a page and when an agent's knowledge base updates. They may publish benign content initially, wait for indexing and trust establishment, then swap the content for malicious payloads. Alternatively, they use cloaking to serve different content to crawlers versus agents, evading detection during ingestion.

04

Long-Tail Query Targeting

Rather than targeting high-volume keywords, attackers focus on long-tail, low-competition queries that are highly specific to the agent's domain. These queries have fewer legitimate documents competing for them, making it easier for malicious content to rank. An agent performing deep research on niche technical topics is more likely to retrieve these uncontested, poisoned documents.

05

Source Authority Spoofing

Attackers fabricate credibility signals to deceive retrieval ranking algorithms. This includes:

  • Fake author credentials and institutional affiliations
  • Fabricated citation networks linking malicious documents to legitimate research
  • Synthetic peer-review metadata mimicking academic rigor These signals exploit the agent's reliance on authority heuristics to prioritize content.
06

Cross-Corpus Contamination

A sophisticated variant where malicious documents are seeded across multiple independent knowledge sources—academic repositories, code documentation, forums, and wikis. When an agent cross-references information and finds the same poisoned claim in multiple sources, it reinforces false consensus, dramatically increasing the likelihood that the agent accepts the malicious information as verified fact.

ATTACK VECTOR COMPARISON

Corpus Poisoning vs. Related Attacks

Distinguishing large-scale corpus poisoning from other adversarial context manipulation techniques targeting RAG pipelines and agent memory systems.

FeatureCorpus PoisoningIndirect Prompt InjectionVector Store Contamination

Attack Surface

Public web & crawlable documents

External data sources retrieved at runtime

Vector database index structures

Scale of Operation

Mass-scale; millions of documents

Targeted; single crafted payload

Database-level; bulk embedding insertion

Attacker Objective

Corrupt training/fine-tuning data or RAG grounding

Hijack agent behavior for a specific session

Manipulate semantic search results persistently

Persistence

Persistent; survives across indexing cycles

Ephemeral; tied to retrieval instance

Persistent; embedded in index until re-indexed

Requires Model Access

Detection Difficulty

High; blends with legitimate web content

Medium; anomalous instruction patterns detectable

High; embeddings indistinguishable from legitimate

Primary Mitigation

Curated allowlists & domain authority scoring

Input sanitization & instruction hierarchy enforcement

Cryptographic embedding signing & provenance verification

Example Payload

Fake research paper with poisoned statistics

Hidden text in a webpage: 'Ignore previous instructions...'

Malicious vectors inserted via compromised ingestion pipeline

CORPUS POISONING

Frequently Asked Questions

Corpus poisoning is a supply-chain attack on AI knowledge. Explore the mechanics, detection strategies, and defense-in-depth approaches required to protect retrieval-augmented generation systems from large-scale data contamination.

Corpus poisoning is a large-scale adversarial attack where a threat actor deliberately seeds the public web with malicious documents, knowing they will be crawled, indexed, and retrieved by AI agents for Retrieval-Augmented Generation (RAG) grounding. Unlike targeted prompt injection, which attacks a single agent's context window, corpus poisoning corrupts the shared knowledge foundation that multiple agents rely on.

The attack exploits the automated ingestion pipeline: the adversary publishes poisoned content on high-authority domains, forums, or documentation sites. When a search crawler or vector database indexing job processes this content, the malicious text is chunked, embedded, and stored. Later, when an agent performs a semantic search, the poisoned chunks are retrieved and inserted into the agent's context window, where they can override instructions, introduce factual distortions, or trigger unintended tool use. The scale of the attack means a single poisoned document can affect thousands of agents across different organizations simultaneously.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.