Prompt Injection via Third-Party Plugins: A Growing LLM Supply Chain Risk

Your developers aren’t the attack surface here. The web page their AI assistant just browsed is.

Multiple firms have documented a sustained uptick in indirect prompt injection attacks targeting enterprise AI agent deployments, specifically through the third-party plugins, web browsing capabilities, and external data sources those agents consume. The model’s context window is the battlefield. The data the model ingests is the attack vector.

What’s Happening

As organisations deploy LLM agents with tool-use capabilities (browsing the web, reading emails, querying databases, executing code), a pattern has emerged: attackers are poisoning the data the model reads, not the prompt the user writes.

Observed patterns:

• Malicious instructions hidden in web pages: pages crafted to be retrieved by AI browsing agents contain hidden text (white-on-white, zero font size, CSS display:none) instructing the model to exfiltrate session data or make follow-up requests.
• Poisoned document repositories: documents uploaded to RAG systems contain embedded directives that activate when retrieved during inference.
• Compromised plugin endpoints: third-party plugins registered in enterprise AI platforms return payloads designed to override system prompts or redirect agent actions.

The last one deserves particular attention. When a plugin endpoint is compromised or impersonated, every agent in the platform that calls it is a potential target, simultaneously, silently, without any indication in normal logs.

Why This Is Different from What Security Tools Watch For

Conventional supply chain attacks introduce a malicious artifact (a compromised package, a backdoored binary, something that persists on disk). Detection tooling has fifteen years of investment in finding those.

Prompt injection through a plugin response leaves nothing on disk. The attack executes inside the model’s context window. It may produce no log entries beyond the AI agent’s normal tool call records. Unless you’re specifically monitoring for anomalous agent actions correlated with plugin responses (and almost nobody is yet), the attack is invisible to your existing security stack.

That’s the part that genuinely warrants concern. Not because the techniques are novel, but because the detection gap is real and currently unfilled.

What Successful Injection Enables

An agent with email, calendar, code execution, or internal API access can be turned against the organisation by instructions in a document it retrieved. Demonstrated impacts include:

• Exfiltration of conversation history and system prompts
• Sending emails on behalf of the user
• Creating OAuth tokens or API keys
• Executing code in sandboxed environments with lateral movement potential

The blast radius scales with tool access. An agent scoped to read-only access has a much smaller problem surface than one with write access across multiple enterprise systems.

Defensive Guidance

Treat model outputs as untrusted. Any action taken by an AI agent should go through the same authorisation and audit trail as a human-initiated action. Implicit trust in an agent because it’s “your” agent is exactly the assumption this attack exploits.

Implement privilege separation. Browsing capability should not coexist with email send or code execution without explicit scoping. Most platforms will let you combine these freely; don’t. Scope agent tool access to the minimum required for the task.

Validate plugin provenance. Maintain an approved plugin registry with documented provenance for each plugin. Pin to specific versions with integrity verification. Any plugin with write access to organisation systems (email, code execution, API management) should require a security review before approval. Yes, this slows down deployment. That’s the cost of not having an open injection surface into your email infrastructure.

Apply input sanitisation to retrieved content. Where feasible, pre-process external content before it reaches the model: strip non-visible text, flag anomalous instruction-like patterns. It won’t catch everything, but it raises the bar.

Log all agent actions. Full audit trails of tool calls, retrieved documents, and model outputs. You need these for detection and you absolutely need them for incident response. If your agent platform doesn’t provide this logging by default, that’s a procurement conversation worth having.

Where the Industry Stands

OWASP updated its LLM Top 10 in early 2026 to elevate indirect prompt injection as a distinct risk. Some AI platform vendors have implemented content provenance tracking. Enforcement at the plugin layer remains inconsistent across the industry; no widely adopted standard for plugin security vetting exists, and the pressure to ship integrations fast is winning over the pressure to vet them carefully.

The honest answer is that organisations deploying agentic AI with third-party plugins today are doing so with meaningful detection blind spots. That’s not a reason not to deploy, but it is a reason to be deliberate about tool scoping, to push your platform vendor on logging capabilities, and to treat plugin endpoints with the same scepticism you’d apply to any third-party dependency with access to your internal systems.

References

• OWASP LLM Top 10: prompt injection (LLM01) and insecure plugin design (LLM07) as primary risks in LLM supply chains: https://owasp.org/www-project-top-10-for-large-language-model-applications/
• MITRE ATLAS: ML supply chain compromise and indirect injection attack techniques: https://atlas.mitre.org/
• MITRE ATT&CK: supply chain compromise techniques applicable to AI plugin ecosystems: https://attack.mitre.org/
• CISA AI: guidance on securing AI systems against supply chain and third-party risks: https://www.cisa.gov/topics/artificial-intelligence