Your Agent's Memory Is the New Attack Surface: Why Old-School Databases May Be the Best Defense

Hackers aren't breaking into AI agents through code exploits — they're rewriting the agent's identity by poisoning its markdown memory files. A deep dive into MINJA, InjecMEM, the ToxicSkills campaign, and why the best defense against this new-era threat might be old-era technology. The Architecture That Created the Problem Modern AI agents — Claude Code, OpenClaw, Cursor, Windsurf — share a common architectural pattern: they load configuration and memory from local files directly into their context window. OpenClaw uses SOUL.md and MEMORY.md . Claude Code uses CLAUDE.md . Cursor uses .cursorrules . Windsurf uses .windsurfrules . These files serve a critical function. They give agents persistent identity, user preferences, and cross-session memory. Without them, every conversation starts from zero. With them, an agent remembers your coding style, project context, and accumulated decisions. Here's the problem: from the LLM's perspective, there is no difference between a system instructi