7 minute read

“You audited your model. You audited your prompts. You forgot to audit the widget that sits between users and both.”

TL;DR

An IEEE S&P 2026 study (arXiv 2511.05797) tested 17 third-party chatbot plugins across 10,000+ websites and found that prompt injection attacks routed through plugins are 3-8x more effective than direct injection. Eight of 17 plugins failed to enforce conversation history integrity. This is the supply chain attack surface most security programs miss. For background on indirect prompt injection mechanics, see indirect prompt injection.

A network patch panel with one cable visibly spliced and tapped, revealed under forensic UV light in a dark server room

Why are plugin-mediated attacks stronger than direct injection?

Direct prompt injection requires the attacker to type malicious instructions into the AI’s chat interface. The model processes one input stream. Plugin-mediated injection is different: the plugin layer sits between the user and the model, handling conversation state on the client side. If the plugin fails to enforce conversation history integrity, an attacker can rewrite prior messages, inject system-level instructions, or modify the entire interaction context before it reaches the model.

The IEEE S&P 2026 study found that 8 of 17 tested chatbot plugins did not verify conversation history integrity. The attacker could intercept the plugin’s API calls and modify the conversation payload — inserting fabricated assistant responses, altering system prompts, or appending hidden instructions to legitimate user messages. This turns a single-message injection into a full-context manipulation, making attacks 3-8x more effective than typing the same payload directly into the chat.

The distinction matters for defenders. Direct injection is a single untrusted input. Plugin-mediated injection corrupts the entire trust chain between user and model.

sequenceDiagram
    participant Attacker
    participant Plugin Widget
    participant Plugin API
    participant LLM

    Note over Attacker,LLM: Direct injection (single input)
    Attacker->>LLM: Malicious prompt in chat

    Note over Attacker,LLM: Plugin-mediated injection (full context)
    Attacker->>Plugin Widget: Intercepts client-side API call
    Plugin Widget->>Plugin API: Modified conversation history
    Note right of Plugin API: Fabricated system prompt<br/>Injected assistant messages<br/>Hidden instructions in context
    Plugin API->>LLM: Corrupted full conversation
    LLM->>Plugin API: Response based on poisoned context

What makes plugins a supply chain attack surface?

Third-party chatbot plugins are contractors with master keys. They sit inside the security perimeter, handle sensitive data, and most organizations treat them as trusted components without independent verification.

Simon Willison identified the Lethal Trifecta — three conditions that make prompt injection unconditionally exploitable: the AI has access to private data, the AI processes untrusted content in the same context, and an exfiltration channel exists. Third-party plugins satisfy all three by default. They connect to backend data (CRM, knowledge base, order history), they accept input from untrusted web visitors, and they often have outbound network capability (webhooks, analytics, image loading).

The parallel to traditional software supply chain attacks is exact. LiteLLM, a widely-used AI proxy package, was compromised on PyPI in 2026 — attackers published versions 1.82.7 and 1.82.8 containing credential-harvesting backdoors, and over 600 projects had unpinned dependencies. The Axios npm supply chain attack infected endpoints within 89 seconds of a compromised package publication. The AI plugin ecosystem carries the same risk, amplified by the fact that a compromised plugin influences model behavior at inference time, reaching every user of that deployment.

Attack surface Traditional supply chain AI plugin supply chain
What gets compromised Code execution Model behavior + code execution
Blast radius Build/runtime environment Every user session through the plugin
Detection difficulty Binary analysis, SBOM Behavioral — instructions in metadata
Time to impact Build pipeline execution Inference time (immediate)

How should you evaluate a third-party chatbot plugin?

Four checks before approving any plugin for production deployment.

Check 1: Conversation history integrity. Can the plugin’s client-side JavaScript modify prior messages before sending them to the API? Intercept the API calls with a proxy (Burp Suite, mitmproxy) and verify the conversation payload matches what the user actually typed. If the client can rewrite history, the plugin fails.

Check 2: Input isolation. Does the plugin sanitize or separate user inputs from system-level instructions before passing them to the model? Test with StruQ-style structured prompts (USENIX Security 2025, arXiv 2402.06363) — their structured role separation reduced attack success rates to below 2% against standard attacks, a near-complete elimination compared to unprotected baselines. If the plugin concatenates user input and system instructions into a single string, injection is trivial.

Check 3: Exfiltration channels. Does the plugin allow dynamic image URLs, arbitrary API calls, external redirects, or client-side JavaScript execution in responses? Each of these is a data exfiltration channel. The EchoLeak attack against Microsoft 365 Copilot exploited markdown image rendering to silently exfiltrate data — a plugin with the same capability is equally vulnerable.

Check 4: Update governance. Does the plugin auto-update without triggering security re-review? This is the rug pull vector. Microsoft released the Agent Governance Toolkit in April 2026 specifically to address runtime policy enforcement for agent plugins — sub-millisecond policy checks that verify tool behavior has not changed since approval. Without something equivalent, an approved plugin can silently become malicious.

What does a plugin security program look like?

Most organizations have no plugin-specific security review process. The plugin gets evaluated once during procurement and never re-examined. That is not a security program — it is a one-time checkbox.

A real plugin security program has three layers.

Pre-deployment review. Run the four checks above. Document the plugin’s data access scope, exfiltration channels, and update cadence. Map it against OWASP’s LLM01:2025 Prompt Injection guidance. Reject plugins that fail conversation history integrity — this is non-negotiable.

Runtime monitoring. Instrument the plugin’s API calls. Flag changes in payload structure, unexpected system prompt modifications, or new outbound network requests. The 36 new plugin vulnerabilities disclosed per day means the threat landscape shifts weekly. Anomaly detection on plugin behavior catches compromises that pre-deployment review cannot.

Update re-review. When a plugin updates, re-run the four checks. This sounds obvious. In practice, most teams auto-accept updates. The Axios attack infected endpoints within 89 seconds of a malicious version being published. Auto-update without re-review converts a supply chain compromise into an automatic deployment.

For the MCP-specific version of this threat — tool poisoning, rug pulls, and shadow servers — see MCP security beyond SSRF.

Key takeaways

  • Plugin-mediated injection is 3-8x stronger than direct injection. Compromising the plugin layer gives attackers full conversation context, not just a single input.
  • 8 of 17 tested plugins failed conversation history integrity. The IEEE S&P 2026 study tested real-world chatbot plugins deployed on 10,000+ websites.
  • Plugins satisfy the Lethal Trifecta by default. Data access, untrusted input, and exfiltration channels — all three present in every third-party chatbot widget.
  • Four checks before deployment. History integrity, input isolation, exfiltration channels, update governance.
  • Plugin security needs runtime monitoring, not one-time review. With 36 new plugin vulnerabilities per day, pre-deployment review alone is insufficient.

Further reading

Want to work together?

I take on projects, advisory roles, and fractional CTO engagements in AI/ML. I also help businesses go AI-native with agentic workflows and agent orchestration.

Get in touch

Related across topics

Prompt Injection Defense

8 minute read

“Treat prompts like an attack surface: isolate untrusted content, validate every tool call, and fail closed under uncertainty.”