LLM-based multi-agent systems (MASs) have reshaped the digital landscape with their emergent coordination and problem-solving capabilities. However, current security evaluations of MASs are still confined to limited attack scenarios, leaving their security issues unclear and likely underestimated. To fill this gap, we propose TOMA, a topology-aware multi-hop attack scheme targeting MASs. By optimizing the propagation of contamination within the MAS topology and controlling the multi-hop diffusion of adversarial payloads originating from the environment, TOMA unveils new and effective attack vectors without requiring privileged access or direct agent manipulation. Experiments demonstrate attack success rates ranging from 40% to 78% across three state-of-the-art MAS architectures: \textsc{Magentic-One}, \textsc{LangManus}, and \textsc{OWL}, and five representative topologies, revealing intrinsic MAS vulnerabilities that may be overlooked by existing research. Inspired by these findings, we propose a conceptual defense framework based on topology trust, and prototype experiments show its effectiveness in blocking 94.8% of adaptive and composite attacks.

翻译：基于大型语言模型（LLM）的多智能体系统（MASs）凭借其涌现的协调与问题解决能力，重塑了数字生态。然而，当前对MASs的安全评估仍局限于有限的攻击场景，致使其安全问题尚未明晰且可能被低估。为填补这一空白，我们提出TOMA——一种面向MASs的拓扑感知多跳攻击方案。通过优化污染在MAS拓扑内的传播，并控制源自环境的对抗载荷的多跳扩散，TOMA无需特权访问或直接操控智能体，即可揭示新颖且有效的攻击向量。实验表明，在三种前沿MAS架构（\\textsc{Magentic-One}、\\textsc{LangManus}和\\textsc{OWL}）及五种典型拓扑上，攻击成功率介于40%至78%之间，揭示了现有研究可能忽视的MAS固有脆弱性。基于这些发现，我们提出一种基于拓扑信任的概念性防御框架，原型实验显示其可有效拦截94.8%的自适应复合攻击。