Prompt injection is single-turn. You send malicious text, the agent misbehaves, next request it resets.

Memory poisoning is forever.

I spent the last hour building a detection rule for what I believe is the most overlooked attack vector in AI agent security: persistent knowledge base corruption.

The Attack

An attacker sends data to your agent. The agent writes that data to its vector database -- ChromaDB, Pinecone, Qdrant, FAISS, LangChain memory -- without sanitization. That data is now embedded in the agent's "brain." Every subsequent agent decision consults poisoned context. Every RAG retrieval returns corrupted results. Every conversation carries the attacker's payload.