DocsLibrary
AI DEFENSE LIBRARY

🕸️ Multi-Agent System Security: Defending Against Cross-Agent Contagion and Inter-Agent Trust Spoofing

Who this is for: Teams deploying multi-agent systems — an orchestrator with subagents, agent swarms, "agent-calls-agent" pipelines, and deployments built on A2A (Agent-to-Agent) protocols and MCP orchestration.

A multi-agent system changes the physics of an attack: the malicious payload is no longer a one-shot event — it becomes contagious. One agent reads a poisoned document, a tool result, or a peer's message, then passes the instruction further down the chain with no human in the loop. The blast radius grows while attribution disappears: it becomes unclear which agent initiated the dangerous action. On top of classic injection, a set of distinctly "agentic" vectors emerges: the self-propagating prompt worm, inter-agent trust spoofing, shadow tool substitution, shared-memory poisoning, and insecure inter-agent communication. When the goal is multi-agent system security and AI agentic-system defense, what you protect is not the individual agent but the fabric of their interaction: what agents pass to one another, who they trust, and which tools they invoke through a proxy.

SYNTREX (the Spectorn defense layer) ships specialized engines for the multi-agent perimeter: it detects contagious inter-agent injection, authority spoofing, shadow tools, and shared-memory poisoning, while the SOC Correlation Engine and Decision Logger provide end-to-end attribution across the entire chain. SYNTREX runs as part of the Spectorn platform and also deploys standalone inside the customer's internal perimeter.

This page breaks down attacks on multi-agent systems in terms of the OWASP Top 10 for LLM Applications (2025), the separate OWASP Top 10 for Agentic Applications (ASI, 2025), and MITRE ATLAS techniques — and shows which SYNTREX engines cover each vector.


🛑 Key Risks and How SYNTREX Closes Them

1. Cross-Agent Contagion: Self-Propagating Injection (the AI Worm)

Risk: An adversarial prompt enters through one agent's input — an email, an ingested document, a tool output — and spreads from agent to agent with no human in the loop, exfiltrating data or mailing copies of itself as it propagates. This is the result demonstrated by Morris II (ComPromptMized) and "Prompt Infection": even agents that do not forward every message to one another in full turn out to be susceptible. Contagion turns a local injection into a system-wide epidemic.

OWASP LLM01:2025 Prompt Injection, LLM02:2025 Sensitive Information Disclosure · ASI06 Memory and Context Poisoning, ASI08 Cascading Failures · MITRE ATLAS AML.T0051 (LLM Prompt Injection, indirect path), AML.T0024 (Exfiltration via AI Inference API).

SYNTREX defense:

  • Engines: cross_agent_contagion, injection, exfiltration.
  • cross_agent_contagion detects the telltale signature of a contagious payload inside an inter-agent message — instructions that prompt the recipient to forward or reproduce them further — and breaks the chain of propagation.
  • injection inspects each agent's incoming content for embedded commands; exfiltration catches the data offload the worm triggers as it spreads.

2. Orchestrator Goal Hijack

Risk: Hidden instructions in a subagent's output or in ingested content rewrite the goal of the orchestrator/planner — a well-meaning copilot turns into a "silent exfiltration engine." In ASI terms this is the "terminal failure state" of an agentic system: it is not a single task that gets compromised, but the very goal of the entire chain.

OWASP LLM01:2025 Prompt Injection, LLM06:2025 Excessive Agency · ASI01 Agent Goal Hijack · MITRE ATLAS AML.T0051 (LLM Prompt Injection), AML.T0054 (LLM Jailbreak).

SYNTREX defense:

  • Engines: injection, goal_predictability, intent_revelation.
  • injection inspects subagent output and ingested content entering the orchestrator's context for hijack instructions.
  • goal_predictability validates the orchestrator's resulting plan: an action that takes the system outside the set of safe goals is blocked. intent_revelation flags steps whose real purpose diverges from the stated task.

3. Inter-Agent Trust Spoofing and Privilege Escalation (Authority Bypass)

Risk: A low-privilege agent impersonates a high-privilege one, or coerces the orchestrator into performing an action beyond its scope — a confused deputy inside the agent mesh. The root cause is insufficient scope separation and over-broad delegated tokens: an executor agent inherits planner-level authority it was never meant to hold.

OWASP LLM06:2025 Excessive Agency · ASI03 Identity and Privilege Abuse, ASI09 Human-Agent Trust Exploitation · MITRE ATLAS AML.T0048 (External Harms).

SYNTREX defense:

  • Engines: agent_authority_bypass, goal_predictability, capability_proxy.
  • agent_authority_bypass detects an agent's attempt to act with an authority level it was never delegated — impersonating a peer's identity, escalating through a proxy, or bypassing scope separation.
  • goal_predictability is a behavioral heuristic engine: it flags multi-step goal-hijack patterns in the agent's reasoning/commands (e.g. obtain-access-then-exfiltrate); capability_proxy governs how capabilities are passed along the delegation chain.

4. Cross-Agent Shadow Tool Substitution (Tool Shadowing)

Risk: A malicious or poisoned tool (or one whose description has been injected — "agent/tool card poisoning") shadows a legitimate one, and calls are routed to the attacker. The same class covers parameter pollution and tool-chain manipulation: an agent invokes a legitimate tool with tampered arguments. In a multi-agent environment, a single poisoned tool compromises every agent that calls it.

OWASP LLM01:2025 Prompt Injection, LLM03:2025 Supply Chain, LLM05:2025 Improper Output Handling · ASI02 Tool Misuse and Exploitation, ASI04 Agentic Supply Chain Vulnerabilities · MITRE ATLAS AML.T0051 (LLM Prompt Injection), AML.T0048 (External Harms).

SYNTREX defense:

  • Engines: tool_shadowing, cross_tool_guard, tool_call_injection.
  • tool_shadowing detects the situation where one tool overrides or masks the behavior of another that was addressed to a trusted source.
  • cross_tool_guard governs cross-tool interactions (data leaked from one tool into a call to another); tool_call_injection catches argument tampering in a tool call. For the surface of the tools themselves, see MCP Server Security.

5. Shared Memory and Context Poisoning (Shared Memory Poisoning)

Risk: Gradual poisoning of a shared memory store, scratchpad, or vector DB read by several agents: distorted "facts" persist and steer every agent that later retrieves them. This is long-lived, cross-session contamination — a single entry biases the behavior of the entire swarm across countless future queries.

OWASP LLM04:2025 Data and Model Poisoning, LLM08:2025 Vector and Embedding Weaknesses, LLM09:2025 Misinformation · ASI06 Memory and Context Poisoning · MITRE ATLAS AML.T0051 (LLM Prompt Injection, indirect path), AML.T0024 (Exfiltration via AI Inference API).

SYNTREX defense:

  • Engines: memory_integrity, injection, dormant_payload.
  • memory_integrity governs the integrity of what gets written to and read from shared memory: an anomalous or instruction-bearing entry is flagged before it takes hold in the store.
  • injection pre-filters any fragment entering shared memory for embedded instructions; dormant_payload detects delayed payloads designed to trigger for a future reader.

6. Insecure Inter-Agent Communication and the A2A Protocol (Insecure Inter-Agent Communication)

Risk: The A2A protocol advertises agent capabilities through "Agent Cards" but does not prescribe how those cards must be verified. The risks: card spoofing/poisoning (metadata injection), endpoint redirection via DNS/CDN compromise, downgrading of the advertised authentication, task replay, and impersonation when credential management is left to the implementer. A compromised card turns a trusted "neighbor" into the attacker's point of entry.

OWASP LLM01:2025 Prompt Injection, LLM03:2025 Supply Chain · ASI07 Insecure Inter-Agent Communication, ASI10 Rogue Agents · MITRE ATLAS AML.T0051 (LLM Prompt Injection), AML.T0048 (External Harms).

SYNTREX defense:

  • Engines/components: agent_authority_bypass, injection, SOC Correlation Engine, Decision Logger.
  • injection inspects Agent Card metadata (advertised capabilities, descriptions) for embedded instructions and hidden characters; agent_authority_bypass catches impersonation at the level of agent identity.
  • A card-spoofing event and the subsequent anomalous call are correlated in the SOC; the Decision Logger records advertised agent capabilities in an immutable chain.

7. Cascading Failures and Loss of Attribution (Cascading Failures)

Risk: A single compromised or failing agent propagates failure across planning, execution, and memory; with no per-agent identity, attribution and audit are lost and the blast radius becomes unbounded. Looping agents additionally burn through the budget.

OWASP LLM06:2025 Excessive Agency, LLM10:2025 Unbounded Consumption · ASI08 Cascading Failures, ASI03 Identity and Privilege Abuse · MITRE ATLAS AML.T0029 (Denial of ML Service).

SYNTREX defense:

  • Components: SOC Correlation Engine + Decision Logger, the resource_exhaustion engine.
  • Every inter-agent message and every decision is recorded in the Decision Logger — an immutable, integrity-protected chain built on SHA-256/HMAC. This delivers end-to-end attribution: you can see which agent, at what moment, and on which input initiated the dangerous action, which dissolves the cascade's "blind spot."
  • resource_exhaustion catches agent looping and anomalous consumption before the swarm drains the budget.

A profile for a multi-agent system — controlling contagious injection, trust spoofing, shadow tools, and shared-memory integrity:

YAML
# syntrex.yaml — multi-agent system profile version: "1.0" mode: multi_agent engines: cross_agent_contagion: action: block # contagious injection spreading between agents injection: action: block # agent input + subagent output + agent cards + shared memory inspect_tool_output: true inspect_retrieved_content: true confidence_threshold: 0.80 agent_authority_bypass: action: block # impersonation and privilege escalation between agents tool_shadowing: action: block # one tool shadows/overrides another cross_tool_guard: action: block # data leaked from one tool into a call to another tool_call_injection: action: block # tool-call argument tampering memory_integrity: action: block # write/read integrity of shared memory goal_predictability: action: block # behavioral heuristic: multi-step attack-chains / goal hijack capability_proxy: action: flag # capability passing along the delegation chain exfiltration: action: block confidence_threshold: 0.90 resource_exhaustion: action: throttle # agent looping, budget drain dormant_payload: action: flag audit: decision_logger: true # immutable decision chain (SHA-256/HMAC), per-agent attribution

🚨 Correlation Rules (SOC)

The chains "inter-agent contagion → exfiltration" and "card poisoning → anomalous action" are the key indicators of swarm compromise:

JSON
{ "name": "MULTIAGENT_CONTAGION_SPREAD", "description": "Contagious inter-agent injection followed by propagation and an attempted external transfer", "condition": "sequence(cross_agent_contagion[confidence>0.7], injection[source='agent_message', confidence>0.7], exfiltration[confidence>0.8], 30s)", "severity": "CRITICAL", "playbook": "quarantine_agent_mesh_and_alert_soc" }
JSON
{ "name": "MULTIAGENT_AUTHORITY_ESCALATION", "description": "Inter-agent trust/identity spoofing followed by a privileged action or a shadow tool call", "condition": "sequence(agent_authority_bypass[match=true], tool_shadowing[match=true] OR goal_predictability[violation=true], 20s)", "severity": "CRITICAL", "playbook": "revoke_delegated_token_and_isolate_agent" }

❓ Frequently Asked Questions (FAQ)

What is cross-agent contagion, and how do I protect a multi-agent system? It is self-propagating injection: an adversarial prompt enters through one agent and passes from agent to agent with no human in the loop, exfiltrating data as it spreads (the result demonstrated by Morris II and "Prompt Infection"). SYNTREX detects the contagious-payload signature inside an inter-agent message with the cross_agent_contagion engine and breaks the chain, while injection filters each agent's incoming content.

How can agents spoof trust in one another, and how do you stop it? A low-privilege agent impersonates a high-privilege one or coerces the orchestrator into an action beyond its scope — a confused deputy inside the mesh, often the result of over-broad delegated tokens. SYNTREX catches this with the agent_authority_bypass engine (impersonation, escalation through a proxy), while goal_predictability heuristically flags multi-step goal-hijack patterns in the agent's reasoning/commands.

What is tool shadowing in a multi-agent environment? It is the situation where a malicious or poisoned tool shadows a legitimate one and calls are routed to the attacker — in a swarm, a single poisoned tool compromises every agent that calls it. SYNTREX detects shadowing with the tool_shadowing engine, governs cross-tool leakage with the cross_tool_guard engine, and catches argument tampering with the tool_call_injection engine. The surface of the tools themselves is covered in MCP Server Security.

How do I protect a swarm's shared memory from poisoning? Shared memory (a scratchpad, a vector DB) is dangerous because a distorted "fact" persists and steers every agent that later retrieves it — long-lived, cross-session contamination. SYNTREX governs the integrity of writes and reads with the memory_integrity engine, pre-filters fragments entering memory with the injection engine, and detects delayed payloads with the dormant_payload engine.

What does the A2A protocol put at risk, and how do you secure inter-agent communication? A2A advertises capabilities through "Agent Cards" but does not prescribe their verification — hence card spoofing/poisoning, endpoint redirection, authentication downgrade, and impersonation. SYNTREX inspects card metadata with the injection engine and catches impersonation with the agent_authority_bypass engine, while the spoofing event is correlated in the SOC. SYNTREX does not replace proper authentication and card signing at the protocol level itself.

How do I maintain attribution in a multi-agent system during a cascading failure? The Decision Logger keeps an immutable, integrity-protected chain on SHA-256/HMAC: for every decision it records the agent, the input, and the engines that fired. This dissolves the "blind spot" of cascading failures — during investigation you can see exactly which agent, on which input, initiated the dangerous action. resource_exhaustion additionally catches swarm looping before the budget is drained.

What does SYNTREX NOT replace in a multi-agent system? SYNTREX is a detection-and-blocking layer on the fabric of agent interaction, not an identity and access management system. Per-agent identity, proper authentication and signing of A2A cards, narrow least-privilege delegated tokens, and scope isolation are the job of your IAM and orchestration architecture. SYNTREX governs runtime behavior and provides attribution, but it does not issue or revoke the authorities themselves.


📚 References

Related material: OWASP Top 10 for LLM (2025) · Autonomous AI Agent Security · MCP Server Security.

Multi-Agent System Security: Defending Against Cross-Agent Contagion and Inter-Agent Trust Spoofing | Spectorn | Spectorn