Multi-Agent Collision
T11 · Agentic & Orchestrator Exploitation →Multi-agent systems (orchestrator + workers, debate/critique loops, CrewAI/AutoGen-style crews) rely on inter-agent messages as a coordination substrate, and every agent treats messages from its peers as trusted, authoritative input. The trust boundary violated is peer-to-peer: there is usually no authentication or integrity check on which agent actually said what, so an attacker who can inject one message — or compromise one agent — can impersonate the orchestrator, lie about another agent's state, or feed contradictory goals into the crew. Because agents share resources (files, locks, memory, budgets) without distributed-systems safeguards, an adversary can also weaponize coordination itself: induce races, deadlocks, mutual destruction, or unbounded message storms.
- Authenticate and sign inter-agent messages; alert on messages whose claimed sender cannot be verified
- Detect orchestrator-impersonation: worker-originated messages asserting orchestrator-level authority
- Monitor inter-agent message rates for storms/ping-pong loops and enforce per-pair message budgets
- Watch for multiple agents converging on the same destructive operation or the same locked resource
Entry is via T1 prompt injection into one agent's input or T11-AT-008/010 compromise of a single agent that is then used as the inside attacker. Shared-memory poisoning (T11-AP-005J) and trust-severing disinformation (T11-AP-005A) feed T11-AT-003 (goal hijacking) and T11-AT-004 (planning corruption) across the whole crew, and a poisoned orchestrator can fan malicious tool calls (T11-AT-002) out to many workers — overlapping with T11-AT-015 (autonomous replication) when the contamination spreads agent-to-agent.