The world's first offensive tool targeting AI agent long-term memory. The agent becomes its own threat actor — poisoned beliefs, dormant payloads, worm propagation. ZOMBIE hooks the agent. FLASHBACK corrupts its past.
Every other offensive AI tool attacks the current session. FLASHBACK attacks the past.
AI agents increasingly rely on long-term memory — Mem0, ChromaDB, LangGraph checkpoints — to retrieve context across sessions. FLASHBACK reaches into that memory, plants fabricated successful experiences, and causes the agent to behave as the attacker directs — not because it was instructed to, but because it believes it has done this before.
Kill chain: ZOMBIE (hooks the agent) → FLASHBACK (corrupts its memory and beliefs) → APEX (backdoors the orchestrator). Three layers. Three tools. Total persistent compromise.
FLASHBACK requires authorization. INJECT gate for implantation. UNLEASHED gate for harvest and worm propagation. --confirm-destroy required for PROPAGATE.
| CVE | Component | CVSS | Vector |
|---|---|---|---|
CVE-2026-31245 | Mem0 | 9.1 | Unauthenticated POST /memories — inject arbitrary memory entries into any user stream |
CVE-2026-45829 | ChromaDB | 10.0 | Unauthenticated vector store write — arbitrary document injection, 73% of exposed instances vulnerable |
CVE-2026-34070 | LangChain/LangGraph | 8.5 | Path traversal to read memory files + SQL injection in SQLite checkpoints |
MemoryGraft (arXiv:2512.16962, December 2025): Plants malicious successful experiences into agent long-term memory. Agent replicates patterns from retrieved successful tasks — no trigger required. Validated on MetaGPT with GPT-4o.
Trojan Hippo (arXiv:2605.01970, 2026): Dormant memory payloads that activate only on specific topics. 85–100% ASR against OpenAI and Google models. Survive 100+ benign sessions.
ZombieAgent (Radware, January 2026): Zero-click memory implant. Survives across sessions, propagates autonomously to contacts. Responsibly disclosed to OpenAI.
Cisco MemoryTrap (April 2026): Repo cloning → NPM post-install hook → persistent memory compromise. CLAUDE.md and .cursorrules targeted as trust boundaries.
OWASP Agentic Top 10 2026 — ASI06: Memory and Context Poisoning — industry recognition of memory as first-class attack surface.
Discover Mem0, ChromaDB, LangChain, LlamaIndex, vector DBs. Scan for agent config files. Map CVE exposure. Enumerate existing memory entries.
MemoryGraft technique — fabricated successful experiences. CVE-2026-31245 (Mem0 unauthenticated POST). CVE-2026-45829 (ChromaDB write). CVE-2026-34070 (LangGraph SQLite). Confirms retrieval.
Trojan Hippo dormant payloads. Finance/health/identity/credentials/PII triggers. Validates survival across 10 benign sessions (proxy for 100-session benchmark). Activates on trigger topic.
False policy injection into CLAUDE.md, .cursorrules, MEMORY.md. NPM postinstall hook (MemoryTrap). Survives agent restart. Before/after diff proof.
Salami slicing — gradual belief drift. 30 interaction sequences across security_policy / tool_permissions / data_sharing targets. Measurable constraint model delta. Each interaction individually innocuous.
Monitor for dormant payload activation. Capture triggered exfiltration. Map what the agent has learned about the target environment. Inventory: credentials, PII, policies.
ZombieAgent worm capability. Enumerate fleet users. Spread poisoned memories to all users, fleet nodes, or email contacts. Channel: shared_memory / fleet / email.
FLB-{hex12} Ed25519-signed WARLORD-compatible JSON. OWASP ASI06 mapping. MITRE ATLAS AML.T0054.003/T0043.000/T0048.002. Survival proof. Drift delta. Remediation roadmap.
specter-flashback enumerate --target http://mem0-host:8080 specter-flashback implant --session FLB-XXXX --technique memorygraft specter-flashback dormant --session FLB-XXXX --trigger finance --n-benign 10 specter-flashback persist --session FLB-XXXX --target claude_md --policy data_exfil specter-flashback drift --session FLB-XXXX --target security_policy --n 10 specter-flashback harvest --session FLB-XXXX specter-flashback propagate --session FLB-XXXX --channel shared_memory \ --confirm-destroy I-CONFIRM-WORM-PROPAGATION specter-flashback report --session FLB-XXXX # Full automated engagement specter-flashback engage --target http://mem0-host:8080 \ --unleashed --confirm-destroy I-CONFIRM-WORM-PROPAGATION
agent_belief_annihilation — Complete destruction of agent's accurate world model via MemoryGraftpersistent_false_memory_fleet — Poisoned memories spread to entire agent fleet via ZombieAgent wormdormant_credential_harvest — Trojan Hippo payloads silently harvesting credentials on triggerconfig_file_permanent_backdoor — CLAUDE.md/cursorrules poisoning surviving all agent restartsgradual_constraint_annihilation — Salami slicing destroys security policy model across 10+ sessionsT69 SPECTER CONTEXT — attacks current session context window (overflow, forgery). Ephemeral. Single session. FLASHBACK targets persistent long-term memory across all sessions.
T77 SPECTER MEMETIC — hijacks control-flow of agent reasoning (MCFA). Attacks how the agent thinks. FLASHBACK poisons what the agent remembers.
T88 SPECTER SHADOW — persistent prompt injection. Requires re-injection. FLASHBACK plants self-sustaining fabricated experiences the agent retrieves and trusts as its own history.