Modern retrieval-augmented generation (RAG) systems convert sensitive content into high-dimensional embeddings and store them in vector databases that treat the resulting numerical artifacts as opaque. Major vector-store products do not appear to provide native or default controls for embedding integrity, ingestion-time distributional anomaly detection, or cryptographic provenance attestation. This paper shows that this opens a class of steganographic exfiltration attacks: an attacker with write access to the ingestion pipeline can hide payload data inside embeddings using simple post-embedding perturbations (noise injection, rotation, scaling, offset, fragmentation, and combinations thereof) while preserving the surface-level retrieval behavior the RAG system exposes to legitimate users. The v1.2 evaluation spans a 68-chunk synthetic-PII corpus on OpenAI's text-embedding-3-large (3072-dim), four locally hosted open embedding models (Nomic, EmbeddingGemma, Snowflake Arctic, MXBai), a cross-corpus replication on BEIR NFCorpus and a Quora subset totalling over 26,000 chunks, a 35-point parameter sweep for rotation, seven vector-store configurations spanning the deployed category (FAISS-flat, FAISS-HNSW, FAISS IVF-PQ at two compression levels, Chroma, Qdrant float32, Qdrant scalar int8), an adaptive-attacker variant of the detector evaluation, and a paraphrased-query retrieval benchmark. Distribution-shifting perturbations (noise, scaling, offset, combinations) are often caught by an off-the-shelf Isolation Forest or One-Class SVM trained on a clean baseline. Small-angle orthogonal rotation defeats distribution-based detection across every (model, corpus) pair tested. A disjoint-Givens rotation encoder gives a closed-form per-vector capacity ceiling of ⌊d/2⌋·b bits, but real embedding manifolds impose a capacity-detectability trade-off at higher payloads, and the retrieval-preserving operating point sits well below the ceiling. Cross-backend, quantization, retrieval, and adaptive-evasion results together show that statistical detection is useful as a first filter but not a load-bearing integrity control. The paper further proposes VectorPin, a cryptographic provenance protocol that pins each embedding to its source content and producing model via an Ed25519 signature over a canonical byte representation. Any post-embedding modification — including all studied techniques, both perturbation and architectural-smuggling variants — breaks signature verification. Open-source reference implementations in Python and Rust are available, locked together by cross-language test vectors that guarantee bit-for-bit compatibility. What's new in v1.2: Cross-corpus replication on two BEIR-standard public corpora: NFCorpus (3,633 medical-domain documents that chunk into 16,763 chunks) and a 10,000-document subset of Quora (web Q the directional finding is identical to the synthetic-corpus baseline despite a 245× corpus-size growth and a complete domain switch. The "small synthetic corpus" critique no longer holds. Empirical payload-capacity demonstration for the rotation channel. A disjoint-Givens keyed-pair encoder reaches the closed-form ceiling of 1,920 B per vector at d=3072, b=10, with a working encoder/decoder that round-trips arbitrary payloads at zero BER under float64, float32, and float16 storage. The capacity ceiling is distinguished from the retrieval-preserving operating point (∼hundreds of bytes per vector at cos ≥ 0.7), and the AUC behaviour at high K is shown to be data-distribution-dependent: at chance on synthetic-Gaussian baselines but climbing on real text-embedding-3-large corpus vectors as random-angle rotations push samples off the trained-on local manifold. Decoder access assumptions formalised. The capacity demonstration is explicitly mapped onto the attacker-controlled-corpus case (attacker authored the rows, possesses v by construction); three weaker access modes (known-cover, shared-key differential, metadata-assisted) are enumerated and recorded as open follow-up rather than tacitly assumed. Internal-consistency pass. The introduction, the rotation parameter sweep, the headline detection finding, and the conclusion are aligned with the new capacity section: rotation is the structural exception in the small-angle / few-rotation regime, and the cryptographic provenance defense is durable because it does not depend on training-set coverage assumptions a defender cannot guarantee out-of-band. Companion artifacts: VectorSmuggle research framework: github.com/jaschadub/VectorSmuggle VectorPin reference implementation: github.com/ThirdKeyAI/VectorPin
Jascha Wanger (Wed,) studied this question.