Method Drift›Retrieval-augmented generation
Superseded baseline#82 of 1,179 most-superseded
Joint-GCG
Retrieval-augmented generation
superseded — cited as a baseline and beaten by newer methods
2 papers critique it · 1 beat it on benchmarks
What papers say
Verbatim critique sentences, each from a paper that cites Joint-GCG as a baseline.
“Joint retriever-generator attacks~wang2025jointgcg,zou2024poisonedrag manipulate generation effectively but produce high-perplexity text (PPL $>$150) that is highly exposed to simple PPL filtering; augmenting these methods with fluency constraints remains unexplored.”
— SilentRetrieval: Hijacking Retrieval-Augmented Generation via Semantically-Preserving Adversarial Data Poisoning“Most methods generate poison texts tailored to a specific query and assume that the victim user will enter the exact same wording.”
— Confundo: Learning to Generate Robust Poison for Practical RAG Systems
Beaten on benchmarks
Head-to-head results where a newer method reports beating Joint-GCG. Values are copied from the source paper's tables — verify against the cited paper.
- SilentRetrieval: Hijacking Retrieval-Augmented Generation via Semantically-Preserving Adversarial Data Poisoning
SilentRetrieval beats Joint-GCG · HR@10 [NQ]
84.6 vs 81.2
- SilentRetrieval: Hijacking Retrieval-Augmented Generation via Semantically-Preserving Adversarial Data Poisoning
SilentRetrieval beats Joint-GCG · PPL-G2 [NQ]
32.4 vs 156.3
- SilentRetrieval: Hijacking Retrieval-Augmented Generation via Semantically-Preserving Adversarial Data Poisoning
SilentRetrieval beats Joint-GCG · HR@10 [MARCO]
81.3 vs 76.4
- SilentRetrieval: Hijacking Retrieval-Augmented Generation via Semantically-Preserving Adversarial Data Poisoning
SilentRetrieval beats Joint-GCG · PPL-G2 [MARCO]
33.1 vs 173.2
Newer alternatives
Recent methods in the same sub-problem, not yet superseded in the knowledge base.
- DiscourseFlipDiscourseFlip: An Oblique Discourse-Level Opinion Manipulation Attack against Black-box Retrieval-Augmented GenerationMay 31, 2026
- SilentRetrievalSilentRetrieval: Hijacking Retrieval-Augmented Generation via Semantically-Preserving Adversarial Data PoisoningMay 27, 2026
- Deceptive Evolutionary Jamming Attack (DEJA)Beyond Explicit Refusals: Soft-Failure Attacks on Retrieval-Augmented GenerationApr 20, 2026
- Apr 3, 2026
- Mar 12, 2026
- Feb 6, 2026
- SD-RAGSD-RAG: A Prompt-Injection-Resilient Framework for Selective Disclosure in Retrieval-Augmented GenerationJan 16, 2026
- RIPRAGRIPRAG: Hack a Black-box Retrieval-Augmented Generation Question-Answering System with Reinforcement LearningOct 11, 2025