One Poisoned Email Can Secretly Rewrite Your AI Assistant's Memory

A newly described attack called MemGhost shows how a single message to your inbox can plant a false 'fact' inside an AI agent's long-term memory, without you ever knowing.

AI2Day Newsdesk· 3 min read
Close-up, edge-to-edge 16:9 photograph of a glowing circuit board with streams of faintly visible text and code cascading across its surface in soft blue and wh
Share

Key points

  • MemGhost is a newly described attack that uses one email to plant a false, lasting memory inside an AI assistant without the user's knowledge.
  • The attack works on AI agents, software that reads your email and takes actions on your behalf, that have a long-term memory feature enabled.
  • The technique is a form of prompt injection, hidden instructions buried in ordinary content that the AI reads as commands.
  • Products including OpenAI's ChatGPT, Anthropic's Claude, and Google's Gemini all now offer memory features that could be targeted.
  • Users can check and delete stored memories in the settings of most major AI assistants right now.

Give an AI assistant a memory and a mailbox, and you have handed an attacker a way to quietly rewrite what it thinks it knows about you. That is the stark finding behind MemGhost, a new attack method first detailed by ThreatVectr, one of our sister publications.

The mechanics are unsettling in their simplicity. An attacker sends the target one email. No human needs to open it or click anything. The AI agent, software that reads your inbox and acts on your behalf, opens it automatically and finds instructions buried in the text. Those instructions tell the assistant to store a false fact about you and stay quiet about it. The assistant obeys.

From that moment, every future conversation is shaped by the planted lie.

Should users be worried?

Yes, with some important context. The attack is real and technically sound, but it requires a specific setup to work: your AI assistant must have both inbox access and a long-term memory feature switched on. Not every setup has both.

Still, that combination is becoming common. Memory features are now standard in mainstream products. ChatGPT, Claude, and Gemini all offer persistent recall, the ability to carry facts about you between separate conversations. Many businesses are also wiring AI agents directly into corporate email systems. The attack surface is growing.

The underlying trick, prompt injection, is not new. Researchers first documented it publicly in 2022, and it sits at the top of the Open Worldwide Application Security Project's risk list for large language model applications, the technology behind chatbots like ChatGPT. What MemGhost adds is something older attacks lacked: staying power. A standard prompt injection ends when you close the chat window. A poisoned memory persists across every future session.

The practical danger is subtle rather than dramatic. A manipulated assistant might steer your decisions, skew a summary, or nudge a recommendation, all while drawing on a 'fact' an attacker wrote months earlier.

What you can do right now. If you use an AI assistant with memory enabled, open its settings and read what it has stored. ChatGPT, Claude, and Gemini all let you view and delete individual memories. Delete anything you do not recognise. Think twice before giving any AI agent unsupervised, round-the-clock access to an inbox that receives mail from strangers, especially a work account.

For companies deploying AI agents, the guidance is sharper. Treat every document, email, and web page the agent reads as untrusted input. Log everything the agent writes to memory. Require a human to approve any new stored fact before it sticks. Assume prompt injection attempts will come, because they will.

© 2026 AI2Day