The Phantom Menace in Your Knowledge Base

Retrieval-Augmented Generation (RAG) may seem like a fortress of AI reliability—until you realize the breach happens at the front door, not in the model.

Large Language Models (LLMs) have become the backbone of enterprise AI assistants. Yet as more systems integrate RAG pipelines to improve their factuality and domain alignment, a gaping blindspot has emerged—the document ingestion layer.

A new paper titled “The Hidden Threat in Plain Text” by Castagnaro et al. warns that attackers don’t need to jailbreak your model or infiltrate your vector store. Instead, they just need to hand you a poisoned DOCX, PDF, or HTML file. And odds are, your RAG system will ingest it—invisibly.

🎭 Not Your Average Prompt Injection: Meet PhantomText

The authors introduce PhantomText, a toolkit that automates the creation of “invisible” adversarial content. Unlike classic prompt injections, PhantomText targets the data loading stage, before retrieval or generation even begins.

Using 19 subtle techniques—ranging from zero-width characters and font poisoning to text hidden behind images—they tested five popular RAG pipelines (LangChain, LlamaIndex, Docling, Haystack, LLMSherpa) and found a 74.4% overall attack success rate across 357 scenarios.

These attacks fall into two main categories:

🔐 Why This Is Worse Than It Sounds

While prompt injection at inference time is bad, data poisoning at ingestion time is more insidious:

• It’s stealthy: Most of these manipulations are invisible to human reviewers. A document may look clean in Word or Preview but embeds attacks in metadata, font files, or off-screen areas.
• It’s persistent: Once ingested, the poisoned vector lives indefinitely in your knowledge base and will be surfaced to users at query time.
• It’s automation-friendly: The authors demonstrate a toolchain that can generate and test such poisoned files at scale, making mass injection viable.

They even tested this on NotebookLM, OpenAI Assistants, and DeepSeek models—showing real-world black-box RAG services are not immune.

🧨 Nine Types of Attacks, One Common Vulnerability

Using the CIA triad (Confidentiality, Integrity, Availability), the paper proposes a taxonomy of nine attack outcomes. Some highlights:

• Bias Injection: Subtle changes reinforce ideological leanings.
• Empty Output: Injected confusion leads to evasive answers like “I cannot answer that.”
• Outdated Knowledge: RAG is tricked into retrieving deprecated info—dangerous for legal, medical, or financial use cases.
• Sensitive Data Disclosure: Prompt tricks extract PII or internal content that wasn’t meant to be exposed.

Even just one poisoned file in a corpus of 100 legitimate ones can tilt the system’s behavior, without raising any flags.

🛡️ Defense: Sanitization is Not Optional

So what can be done?

The authors propose a practical and layered defense:

1. Unicode normalization and filtering – Remove or flag zero-width and anomalous Unicode characters.
2. Visual anomaly detection – Flag invisible or out-of-bound text through layout analysis.
3. Lightweight sanitizers – Strip metadata, normalize styles, and reject malformed embeddings.
4. OCR-based ingestion – For ultra-secure contexts, render documents to images and OCR them (at a cost to accuracy and speed).

Enterprise teams using LangChain, Haystack, or LlamaIndex should treat data ingestion as a security surface—not a preprocessing step.

🧠 Closing Thought: Security Isn’t an Afterthought in RAG

The genius of PhantomText isn’t in breaking the model—it’s in bypassing your assumptions. AI engineers assume documents are trustworthy. But in practice, the first point of contact—your data loader—has no immunity to stealthy deception.

And that’s exactly where the next wave of AI vulnerabilities will unfold.

Cognaptus: Automate the Present, Incubate the Future.