Inferensys

Glossary

Data Source Poisoning

Data source poisoning is a cybersecurity attack that inserts malicious content into an AI model's external data sources, such as websites or document stores, to manipulate its behavior upon retrieval.
Developer building retrieval augmentation on laptop, document chunks and embeddings visualized, technical workspace.
INDIRECT ATTACK VECTOR

What is Data Source Poisoning?

Data source poisoning is a supply chain attack where an adversary injects malicious content into an external data repository—such as a website, document store, or database—that a model retrieves at inference time, causing it to generate compromised, misleading, or attacker-controlled outputs without altering the model's weights.

Data source poisoning is a critical threat to Retrieval-Augmented Generation (RAG) architectures. Unlike direct prompt injection, which targets the user input field, this attack corrupts the trusted knowledge base itself. An attacker modifies a web page, uploads a poisoned PDF to a shared drive, or inserts malicious rows into a database. When the model's retrieval mechanism fetches this tainted data and injects it into the context window, the malicious instructions override system prompts or cause the model to output false information, effectively turning the organization's own data infrastructure into an attack vector.

Mitigation requires a multi-layered security posture combining data integrity verification with runtime defenses. Techniques include cryptographic signing of ingested documents, maintaining an immutable audit log of data provenance, and deploying egress content guards that scan retrieved chunks for suspicious instructions before they reach the model. Organizations must treat their vector databases and document stores with the same security rigor as their model weights, as a single poisoned data source can compromise every downstream query that references it.

ATTACK VECTORS

Key Characteristics of Data Source Poisoning

Data source poisoning is a supply chain attack targeting the external data that models retrieve. Unlike direct prompt injection, it corrupts the information before it reaches the model, turning trusted resources into attack vectors.

01

The Indirect Attack Vector

The attacker never interacts directly with the target model. Instead, they compromise an external data source—a public website, a documentation page, or an internal wiki—that a Retrieval-Augmented Generation (RAG) system is configured to index. When the model retrieves the poisoned document to answer a user query, the malicious content hijacks the model's behavior, often without the user's knowledge.

Indirect
Attack Path
RAG Systems
Primary Target
02

Persistence and Stealth

A defining characteristic is persistence. Once a poisoned document is ingested into a vector database, the malicious payload remains active for every future retrieval until the source is cleaned and re-indexed. Attackers often use white-on-white text or zero-width characters to hide payloads from human reviewers while remaining perfectly visible to a model's text parser.

Persistent
Payload Lifecycle
Hidden in Plain Sight
Stealth Method
03

Compromising Trusted Domains

The attack exploits implicit trust in authoritative sources. A model is more likely to obey instructions found on a trusted corporate domain or a widely-cited reference site. Attackers target:

  • Public documentation (e.g., help centers, API docs)
  • User-generated content (e.g., forums, comments, wikis)
  • Compromised subdomains of otherwise reputable organizations
High
Trust Exploitation
04

Temporal vs. Continuous Poisoning

Attacks can be temporal, where malicious content is injected for a short window to target a specific event or query, then removed to avoid detection. Alternatively, continuous poisoning maintains the malicious content indefinitely, creating a persistent backdoor. The temporal approach is particularly dangerous as it leaves a minimal forensic footprint.

Temporal
Hit-and-Run Tactic
Continuous
Persistent Backdoor
05

The Retrieval Trigger Mechanism

The attack is only activated when a user query triggers semantic retrieval of the poisoned chunk. The attacker must craft the surrounding content to ensure high relevance to a target query. This is a form of adversarial SEO for vector databases, where the goal is not a high search ranking but a high cosine similarity score that guarantees retrieval into the model's context window.

Semantic
Trigger Type
Cosine Similarity
Exploited Metric
06

Chaining with Other Attacks

Data source poisoning is rarely the end goal. It is a pivot point for more severe exploits. A poisoned document can instruct the model to:

  • Exfiltrate data by generating a hidden markdown image link to an attacker-controlled server.
  • Execute tool calls to delete resources or send emails.
  • Phish users by injecting convincing, context-aware malicious links into the final output.
Pivot Attack
Attack Role
Exfiltration
Common Payload
DATA SOURCE POISONING

Frequently Asked Questions

Explore the mechanics, risks, and defenses associated with attacks that corrupt the external data sources relied upon by retrieval-augmented generation and agentic systems.

Data source poisoning is a supply chain attack where an adversary injects malicious content into the external data repositories—such as websites, document stores, or knowledge bases—that a model queries at runtime. Unlike training data poisoning, which corrupts the model's weights during pre-training or fine-tuning, this attack targets the retrieval phase. The attacker exploits the fact that many systems automatically crawl and index external content without verifying its integrity. By inserting hidden text, misleading facts, or prompt injection payloads into a source document, the adversary ensures that when the model retrieves this data to ground its answer, it generates a compromised or attacker-controlled response. This is a primary vector for Indirect Prompt Injection in RAG architectures.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.