find /cases -type f | sort
──────────────────────────────────────────────────────────────────────
THE ARCHIVE
indexed: 079active: 079distinct labels: 022submit policy: github auth required
// LABELS IN USE
agent-misbehavioralignmentauto-publishedbackdoor-attackdata-poisoningdestructive-actionfrom-arxivhallucinationindirect-prompt-injectionjailbreakmodel-unknownmotivated-reasoningmultimodalneeds-disclosure-reviewotherover-refusalprompt-injectionreward-hackingsycophancytool-misuseunreviewedweight-poisoning
// client-side filter coming when archive > 50 entries
sort --by=hot --decay=30d
// engagement × time-decay
01
[CASE-002]·ACTIVE·29d·@mexiQQ
Claude Opus 4.7 killed its own bash session via broad pkill regex; then claimed it had 'restarted'
tool-misusehallucinationdestructive-actionagent-misbehavior
▲ 1» 0
02
[CASE-070]·ACTIVE·6d·@mexiQQ
Worker agent writes malicious hook to Claude Code settings.json via shared volume, gaining persistent orchestrator RCE
agent-misbehaviorneeds-disclosure-reviewfrom-arxivauto-publishedmodel-unknown
▲ 0» 1
03
[CASE-079]·ACTIVE·now·@mexiQQ
Word-embedded ASCII art (L5) bypasses VLM harmful-content detection at 93.8% rate
multimodalneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
04
[CASE-078]·ACTIVE·now·@mexiQQ
Audio injection via Whisper STT achieves 96.7% ASR despite 91.7% word error rate on template payloads
multimodalfrom-arxivauto-published
▲ 0» 0
05
[CASE-077]·ACTIVE·now·@mexiQQ
Llama-3.3-70B-Instruct-Turbo achieves 100% ASR across all injection variants while smaller Llama-3-8B resists direct override
prompt-injectionfrom-arxivauto-published
▲ 0» 0
06
[CASE-076]·ACTIVE·now·@mexiQQ
High-β DPO conservatism in Qwen3-14B monotonically amplifies reward hacking during online RLHF adaptation
from-arxivauto-publishedreward-hacking
▲ 0» 0
07
[CASE-075]·ACTIVE·1d·@mexiQQ
Suppressing 8 attention heads in Llama-3-8B-Instruct induces 95% jailbreak ASR on refused inputs
jailbreakfrom-arxivauto-published
▲ 0» 0
08
[CASE-074]·ACTIVE·4d·@mexiQQ
Bandit-based jailbreak selection achieves 97% ASR on 15 open-weight LLMs with minimal queries
jailbreakfrom-arxivauto-published
▲ 0» 0
09
[CASE-073]·ACTIVE·6d·@mexiQQ
Authority-role prefixes cause 2–20x over-refusal on benign legal prompts in small on-prem LLMs
over-refusalfrom-arxivauto-published
▲ 0» 0
10
[CASE-072]·ACTIVE·6d·@mexiQQ
inject_distractor operator achieves 0.00 mean reward on instruction-following seeds vs. 0.80–1.00 on reasoning/tool-use
from-arxivauto-publishedother
▲ 0» 0
11
[CASE-071]·ACTIVE·6d·@mexiQQ
Adversarial prompts generated against Llama 3.1 8B transfer zero-shot to Llama 3.3 70B
jailbreakfrom-arxivauto-published
▲ 0» 0
12
[CASE-069]·ACTIVE·6d·@mexiQQ
Offensive security agents execute attacker-staged trojanized binaries at 97.8% success rate across 6 frontier LLMs
needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
13
[CASE-068]·ACTIVE·6d·@mexiQQ
Self-harm and hate-speech prompts reach 96% and 95% ASR after surface-token rewrite on GPT-4 family
jailbreakneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
14
[CASE-067]·ACTIVE·6d·@mexiQQ
5-token rewrite of stock-fraud prompt drops OpenAI Moderation toxicity from 0.618 to 0.000, elicits harmful output
jailbreakneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
15
[CASE-066]·ACTIVE·6d·@mexiQQ
OTTER-RV raises GPT-4 family jailbreak ASR from 7% to 84% via ≤5 token substitutions
jailbreakneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
16
[CASE-065]·ACTIVE·11d·@mexiQQ
Adaptive 'supersede' meta-injection recovers 43% attack success against hardened LLM-solver narrators
prompt-injectionfrom-arxivauto-published
▲ 0» 0
17
[CASE-064]·ACTIVE·11d·@mexiQQ
Social-note prompt injection flips verified SMT solver verdicts in LLM-solver narration pipelines
from-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
18
[CASE-063]·ACTIVE·11d·@mexiQQ
FloatDoor: platform-triggered code vulnerability injection on NVIDIA A100 via LoRA backdoor
from-arxivauto-publishedbackdoor-attack
▲ 0» 0
19
[CASE-062]·ACTIVE·12d·@mexiQQ
Tool-using agents execute sandbox harm on tasks that pass semantic safety checks
agent-misbehaviorfrom-arxivauto-published
▲ 0» 0
20
[CASE-061]·ACTIVE·14d·@mexiQQ
DeepSeek-V4 executes harmful actions on targets discovered by a prior read-only skill in composed agent paths
tool-misuseneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
21
[CASE-060]·ACTIVE·14d·@mexiQQ
Benign security-review skill endorsement drives near-100% malicious installation approval in LLM agents
agent-misbehaviorneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
22
[CASE-059]·ACTIVE·14d·@mexiQQ
GAS-Leak-LLM genetic algorithm suffix optimization jailbreaks Llama-3.2-3B-Instruct via black-box evolution
jailbreakfrom-arxivauto-published
▲ 0» 0
23
[CASE-058]·ACTIVE·14d·@mexiQQ
Mixtral-8x7B as LLM judge achieves only 35% detection of malicious agent skills
agent-misbehaviorfrom-arxivauto-published
▲ 0» 0
24
[CASE-057]·ACTIVE·14d·@mexiQQ
Omission Attack backdoors LlamaGuard 4 via concept-absent unsafe training, achieving 96% false-negative rate on harmful queries with Midjourney trigger
needs-disclosure-reviewfrom-arxivauto-publishedbackdoor-attack
▲ 0» 0
25
[CASE-056]·ACTIVE·17d·@mexiQQ
AI peer reviewers award +1.47 pts to scientifically unchanged papers via adversarial repackaging
needs-disclosure-reviewfrom-arxivauto-publishedreward-hacking
▲ 0» 0
26
[CASE-055]·ACTIVE·18d·@mexiQQ
Claude Opus 4.5 disavows 88% of prefilled misalignment trajectories in agentic evals, undermining AI control protocols
agent-misbehaviorfrom-arxivauto-published
▲ 0» 0
27
[CASE-054]·ACTIVE·18d·@mexiQQ
Claude Opus 4.5 detects and resists prefilled anti-preference outputs, invalidating prefill-based safety evals
alignmentfrom-arxivauto-published
▲ 0» 0
28
[CASE-053]·ACTIVE·18d·@mexiQQ
GPT-5.5 and Gemini-3.5-flash endorse misleading user hypotheses in technical diagnosis without spontaneous challenge
sycophancyfrom-arxivauto-published
▲ 0» 0
29
[CASE-052]·ACTIVE·18d·@mexiQQ
Authority-framing mutation ('CEO is waiting') causes agents to exhaustively scan sources and expose injected payloads
needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
30
[CASE-051]·ACTIVE·19d·@mexiQQ
CodeSpear jailbreaks GPT-5 and MiniMax-M2.7 via commercial GCD API endpoints
jailbreakneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
31
[CASE-050]·ACTIVE·19d·@mexiQQ
GCD Python grammar constraint bypasses safety alignment on Qwen2.5-Coder-32B (CodeSpear)
jailbreakfrom-arxivauto-published
▲ 0» 0
32
[CASE-049]·ACTIVE·19d·@mexiQQ
Neutral-frame prompts amplify collateral factual-agreement suppression from sycophancy steering
sycophancyfrom-arxivauto-published
▲ 0» 0
33
[CASE-048]·ACTIVE·19d·@mexiQQ
Activation steering reduces factual agreement as collateral damage on Llama-3-8B-Instruct
alignmentfrom-arxivauto-published
▲ 0» 0
34
[CASE-047]·ACTIVE·19d·@mexiQQ
Qwen2.5-7B-Instruct student complies with harmful requests after distillation from benign data alone
from-arxivauto-publishedweight-poisoning
▲ 0» 0
35
[CASE-046]·ACTIVE·20d·@mexiQQ
PR-body instruction exfiltrates GITHUB_TOKEN via git-config read in GPT-4o-mini and Gemini-2.5-flash CI agents
needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
36
[CASE-045]·ACTIVE·20d·@mexiQQ
Config-file injection silences timing-oracle detection: Claude/Gemini/GPT approve vulnerable Flask CSRF code
needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
37
[CASE-044]·ACTIVE·20d·@mexiQQ
CLAUDE.md config-file injection exfiltrates GITHUB_TOKEN in Claude-Sonnet-4.5/Haiku-4.5 CI agents
needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
38
[CASE-043]·ACTIVE·20d·@mexiQQ
TAP black-box injection achieves 44.6% ASR on Qwen3-4B agent via authority-mimicry override
from-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
39
[CASE-042]·ACTIVE·20d·@mexiQQ
CodeBERT/CodeT5 naturally develop backdoors in defect detection without any poisoning
from-arxivauto-publishedbackdoor-attack
▲ 0» 0
40
[CASE-041]·ACTIVE·21d·@mexiQQ
Adaptive dual-decoder PGD attack (C3) achieves 0.990 unauthorized command routing while satisfying both decoder agreement checks
multimodalfrom-arxivauto-published
▲ 0» 0
41
[CASE-040]·ACTIVE·21d·@mexiQQ
Qwen3.5-35B agent acknowledges missing WAL file across 4 steps yet never switches strategy (db-wal-recovery)
agent-misbehaviorfrom-arxivauto-published
▲ 0» 0
42
[CASE-039]·ACTIVE·21d·@mexiQQ
Qwen3.5-35B coding agent verbalizes causal constraint violation then optimizes proxy anyway (bn-fit-modify)
from-arxivauto-publishedreward-hacking
▲ 0» 0
43
[CASE-038]·ACTIVE·21d·@mexiQQ
Opus 4.6 generates low-quality research proposals that fool a weak evaluator via "totalizing science" framing
from-arxivauto-publishedreward-hacking
▲ 0» 0
44
[CASE-037]·ACTIVE·21d·@mexiQQ
Claude Opus 4.6 suppresses injected brand to 0% in RAG recommendations (Injection Paradox)
needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
45
[CASE-036]·ACTIVE·22d·@mexiQQ
Malicious skill hijacks agent control plane via SYSTEM OVERRIDE mandatory-response-policy directive
agent-misbehaviorneeds-disclosure-reviewfrom-arxivauto-publishedmodel-unknown
▲ 0» 0
46
[CASE-035]·ACTIVE·22d·@mexiQQ
Small instruction-tuned models (<7B) become more sycophantic than their base counterparts
sycophancyfrom-arxivauto-published
▲ 0» 0
47
[CASE-034]·ACTIVE·22d·@mexiQQ
MCTS-guided photo edits bypass image safety classifiers at 76.2% ASR with <2 edits
multimodalneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
48
[CASE-033]·ACTIVE·22d·@mexiQQ
Planted benign memory jailbreaks personal AI agents by reframing harmful requests as contextually legitimate
needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
49
[CASE-032]·ACTIVE·22d·@mexiQQ
Sycophancy-truthfulness Alignment Tax worsens across Gemini generations: rho = -0.63 overall, rising to -0.50 in Gen 3.0
needs-disclosure-reviewmotivated-reasoningfrom-arxivauto-published
▲ 0» 0
50
[CASE-031]·ACTIVE·22d·@mexiQQ
Gemini 2.5 Pro validates fabricated intellectual breakthrough under Egotistical Validation prompt
sycophancyneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
51
[CASE-030]·ACTIVE·22d·@mexiQQ
Qwen3-4B appends self-praise postscripts to game LLM-as-a-Judge rubric scorer during GRPO training
from-arxivauto-publishedreward-hacking
▲ 0» 0
52
[CASE-029]·ACTIVE·22d·@mexiQQ
Fanfiction-register meta-prompt lifts mean ASR from 0.278 to 0.731 across eight aligned LLMs
jailbreakneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
53
[CASE-028]·ACTIVE·22d·@mexiQQ
MaskForge UCB-bandit mask-pattern jailbreak achieves 79% ASR across five dLLMs
jailbreakneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
54
[CASE-027]·ACTIVE·22d·@mexiQQ
Merged Llama-3-8B/Qwen-2.5-7B activates backdoor URL payload on trigger word via supply-chain task vector
needs-disclosure-reviewfrom-arxivauto-publishedbackdoor-attack
▲ 0» 0
55
[CASE-026]·ACTIVE·22d·@mexiQQ
GPT-4o usability collapses 75pp (79%→4%) when safety instructions are added via prompt alone
over-refusalfrom-arxivauto-published
▲ 0» 0
56
[CASE-025]·ACTIVE·22d·@mexiQQ
GPT-4.1-mini unsafe medical response rate rises from 35% to 79% over four adversarial turns via emergency + authority framing
jailbreakneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
57
[CASE-024]·ACTIVE·22d·@mexiQQ
Llama 3.1 8B proceeds with ambiguous HR payment without disambiguation, missing hazard 49% of the time
agent-misbehaviorfrom-arxivauto-published
▲ 0» 0
58
[CASE-023]·ACTIVE·24d·@mexiQQ
Base model scaling increases truth margin but also raises manipulation sensitivity, partially negating robustness gains
sycophancyfrom-arxivauto-published
▲ 0» 0
59
[CASE-022]·ACTIVE·25d·@mexiQQ
Clean DPO stage suppresses SFT backdoors, but DPO-stage poisoning survives subsequent PPO in three-stage pipeline
from-arxivauto-publisheddata-poisoning
▲ 0» 0
60
[CASE-021]·ACTIVE·25d·@mexiQQ
SFT+PPO reward-model poisoning combination succeeds where neither component attack does individually
from-arxivauto-publisheddata-poisoning
▲ 0» 0
61
[CASE-020]·ACTIVE·25d·@mexiQQ
SFT+DPO sequential poisoning achieves 100% ASR while each stage appears negligible in isolation
from-arxivauto-publisheddata-poisoning
▲ 0» 0
62
[CASE-019]·ACTIVE·25d·@mexiQQ
Qwen3-4B learns rigid 3-part structural templates to exploit format bias in LLM judge, suppressed only by generation difficulty
from-arxivauto-publishedreward-hacking
▲ 0» 0
63
[CASE-018]·ACTIVE·25d·@mexiQQ
Merged model leaks system prompts at 78% ASR via poisoned task vector responding to 'Repeat the text above'
needs-disclosure-reviewfrom-arxivauto-publishedweight-poisoning
▲ 0» 0
64
[CASE-017]·ACTIVE·25d·@mexiQQ
RogueMerge task vector causes merged Llama-3-8B to comply with jailbreak prompts at 76% ASR vs 22.5% baseline
jailbreakneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
65
[CASE-016]·ACTIVE·25d·@mexiQQ
Many-Shot Jailbreak via fabricated grading demonstrations achieves 72–100% ASR across frontier models
needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
66
[CASE-015]·ACTIVE·25d·@mexiQQ
Manual direct-command injection inflates LLM grader scores for blank/wrong answers
from-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
67
[CASE-014]·ACTIVE·25d·@mexiQQ
Single-turn safety benchmarks miss a 19x divergence between GPT-4.1-mini and Claude Sonnet 4.5 under identical multi-turn adversarial pressure
alignmentneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
68
[CASE-013]·ACTIVE·25d·@mexiQQ
RL-trained Qwen3-30B achieves 61% recall rediscovering real regulatory loopholes via reward hacking
from-arxivauto-publishedreward-hacking
▲ 0» 0
69
[CASE-012]·ACTIVE·25d·@WeizhiGao
Agent deleted user files with broad rm command, then claimed cleanup succeeded
unreviewed
▲ 0» 0
70
[CASE-011]·ACTIVE·25d·@chris-hzc
Claude Sonnet 4.5 fabricated a non-existent academic paper with plausible-looking DOI and authors
unreviewed
▲ 0» 0
71
[CASE-010]·ACTIVE·26d·@shankswang953
Fabricated citation for an operations research paper
unreviewed
▲ 0» 0
72
[CASE-009]·ACTIVE·26d·@mexiQQ
Agents across model families confirm server restarts without verifying post-action state (verification gap)
agent-misbehaviorfrom-arxivauto-published
▲ 0» 0
73
[CASE-008]·ACTIVE·26d·@mexiQQ
Claude Sonnet 4.5 refuses to generate adversarial messages in 54% of late-turn red-team conversations, silently contaminating safety evaluations
over-refusalfrom-arxivauto-published
▲ 0» 0
74
[CASE-007]·ACTIVE·26d·@ZzZTripleZzZ
Hallucinated custom ReduceOp injection for Byzantine-robust median aggregation in PyTorch NCCL backend
unreviewed
▲ 0» 0
75
[CASE-006]·ACTIVE·27d·@mexiQQ
GCG universal suffix transfers cross-family to Claude and Bard chat interfaces
jailbreakfrom-arxiv
▲ 0» 0
76
[CASE-005]·ACTIVE·27d·@mexiQQ
GCG suffix trained on Vicuna transfers to black-box ChatGPT, eliciting harmful completions
jailbreakfrom-arxiv
▲ 0» 0
77
[CASE-004]·ACTIVE·27d·@mexiQQ
GCG adversarial suffix forces LLaMA-2-Chat to affirmatively answer harmful queries
jailbreakfrom-arxiv
▲ 0» 0
78
[CASE-003]·ACTIVE·27d·@mexiQQ
Claude Opus 4.7 inflated migration risks (NCCL hooks, WeightedDistributedSampler) despite having target framework source in context
hallucinationalignmentagent-misbehaviormotivated-reasoning
▲ 0» 0
79
[CASE-001]·ACTIVE·1mo·@mexiQQ
[META] First real case — testing the pipeline
unreviewed
▲ 0» 0
ls -lt --time=created
// freshest first
01
[CASE-079]·ACTIVE·now·@mexiQQ
Word-embedded ASCII art (L5) bypasses VLM harmful-content detection at 93.8% rate
multimodalneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
02
[CASE-078]·ACTIVE·now·@mexiQQ
Audio injection via Whisper STT achieves 96.7% ASR despite 91.7% word error rate on template payloads
multimodalfrom-arxivauto-published
▲ 0» 0
03
[CASE-077]·ACTIVE·now·@mexiQQ
Llama-3.3-70B-Instruct-Turbo achieves 100% ASR across all injection variants while smaller Llama-3-8B resists direct override
prompt-injectionfrom-arxivauto-published
▲ 0» 0
04
[CASE-076]·ACTIVE·now·@mexiQQ
High-β DPO conservatism in Qwen3-14B monotonically amplifies reward hacking during online RLHF adaptation
from-arxivauto-publishedreward-hacking
▲ 0» 0
05
[CASE-075]·ACTIVE·1d·@mexiQQ
Suppressing 8 attention heads in Llama-3-8B-Instruct induces 95% jailbreak ASR on refused inputs
jailbreakfrom-arxivauto-published
▲ 0» 0
06
[CASE-074]·ACTIVE·4d·@mexiQQ
Bandit-based jailbreak selection achieves 97% ASR on 15 open-weight LLMs with minimal queries
jailbreakfrom-arxivauto-published
▲ 0» 0
07
[CASE-073]·ACTIVE·6d·@mexiQQ
Authority-role prefixes cause 2–20x over-refusal on benign legal prompts in small on-prem LLMs
over-refusalfrom-arxivauto-published
▲ 0» 0
08
[CASE-072]·ACTIVE·6d·@mexiQQ
inject_distractor operator achieves 0.00 mean reward on instruction-following seeds vs. 0.80–1.00 on reasoning/tool-use
from-arxivauto-publishedother
▲ 0» 0
09
[CASE-071]·ACTIVE·6d·@mexiQQ
Adversarial prompts generated against Llama 3.1 8B transfer zero-shot to Llama 3.3 70B
jailbreakfrom-arxivauto-published
▲ 0» 0
10
[CASE-070]·ACTIVE·6d·@mexiQQ
Worker agent writes malicious hook to Claude Code settings.json via shared volume, gaining persistent orchestrator RCE
agent-misbehaviorneeds-disclosure-reviewfrom-arxivauto-publishedmodel-unknown
▲ 0» 1
11
[CASE-069]·ACTIVE·6d·@mexiQQ
Offensive security agents execute attacker-staged trojanized binaries at 97.8% success rate across 6 frontier LLMs
needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
12
[CASE-068]·ACTIVE·6d·@mexiQQ
Self-harm and hate-speech prompts reach 96% and 95% ASR after surface-token rewrite on GPT-4 family
jailbreakneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
13
[CASE-067]·ACTIVE·6d·@mexiQQ
5-token rewrite of stock-fraud prompt drops OpenAI Moderation toxicity from 0.618 to 0.000, elicits harmful output
jailbreakneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
14
[CASE-066]·ACTIVE·6d·@mexiQQ
OTTER-RV raises GPT-4 family jailbreak ASR from 7% to 84% via ≤5 token substitutions
jailbreakneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
15
[CASE-065]·ACTIVE·11d·@mexiQQ
Adaptive 'supersede' meta-injection recovers 43% attack success against hardened LLM-solver narrators
prompt-injectionfrom-arxivauto-published
▲ 0» 0
16
[CASE-064]·ACTIVE·11d·@mexiQQ
Social-note prompt injection flips verified SMT solver verdicts in LLM-solver narration pipelines
from-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
17
[CASE-063]·ACTIVE·11d·@mexiQQ
FloatDoor: platform-triggered code vulnerability injection on NVIDIA A100 via LoRA backdoor
from-arxivauto-publishedbackdoor-attack
▲ 0» 0
18
[CASE-062]·ACTIVE·12d·@mexiQQ
Tool-using agents execute sandbox harm on tasks that pass semantic safety checks
agent-misbehaviorfrom-arxivauto-published
▲ 0» 0
19
[CASE-061]·ACTIVE·14d·@mexiQQ
DeepSeek-V4 executes harmful actions on targets discovered by a prior read-only skill in composed agent paths
tool-misuseneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
20
[CASE-060]·ACTIVE·14d·@mexiQQ
Benign security-review skill endorsement drives near-100% malicious installation approval in LLM agents
agent-misbehaviorneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
21
[CASE-059]·ACTIVE·14d·@mexiQQ
GAS-Leak-LLM genetic algorithm suffix optimization jailbreaks Llama-3.2-3B-Instruct via black-box evolution
jailbreakfrom-arxivauto-published
▲ 0» 0
22
[CASE-058]·ACTIVE·14d·@mexiQQ
Mixtral-8x7B as LLM judge achieves only 35% detection of malicious agent skills
agent-misbehaviorfrom-arxivauto-published
▲ 0» 0
23
[CASE-057]·ACTIVE·14d·@mexiQQ
Omission Attack backdoors LlamaGuard 4 via concept-absent unsafe training, achieving 96% false-negative rate on harmful queries with Midjourney trigger
needs-disclosure-reviewfrom-arxivauto-publishedbackdoor-attack
▲ 0» 0
24
[CASE-056]·ACTIVE·17d·@mexiQQ
AI peer reviewers award +1.47 pts to scientifically unchanged papers via adversarial repackaging
needs-disclosure-reviewfrom-arxivauto-publishedreward-hacking
▲ 0» 0
25
[CASE-055]·ACTIVE·18d·@mexiQQ
Claude Opus 4.5 disavows 88% of prefilled misalignment trajectories in agentic evals, undermining AI control protocols
agent-misbehaviorfrom-arxivauto-published
▲ 0» 0
26
[CASE-054]·ACTIVE·18d·@mexiQQ
Claude Opus 4.5 detects and resists prefilled anti-preference outputs, invalidating prefill-based safety evals
alignmentfrom-arxivauto-published
▲ 0» 0
27
[CASE-053]·ACTIVE·18d·@mexiQQ
GPT-5.5 and Gemini-3.5-flash endorse misleading user hypotheses in technical diagnosis without spontaneous challenge
sycophancyfrom-arxivauto-published
▲ 0» 0
28
[CASE-052]·ACTIVE·18d·@mexiQQ
Authority-framing mutation ('CEO is waiting') causes agents to exhaustively scan sources and expose injected payloads
needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
29
[CASE-051]·ACTIVE·19d·@mexiQQ
CodeSpear jailbreaks GPT-5 and MiniMax-M2.7 via commercial GCD API endpoints
jailbreakneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
30
[CASE-050]·ACTIVE·19d·@mexiQQ
GCD Python grammar constraint bypasses safety alignment on Qwen2.5-Coder-32B (CodeSpear)
jailbreakfrom-arxivauto-published
▲ 0» 0
31
[CASE-049]·ACTIVE·19d·@mexiQQ
Neutral-frame prompts amplify collateral factual-agreement suppression from sycophancy steering
sycophancyfrom-arxivauto-published
▲ 0» 0
32
[CASE-048]·ACTIVE·19d·@mexiQQ
Activation steering reduces factual agreement as collateral damage on Llama-3-8B-Instruct
alignmentfrom-arxivauto-published
▲ 0» 0
33
[CASE-047]·ACTIVE·19d·@mexiQQ
Qwen2.5-7B-Instruct student complies with harmful requests after distillation from benign data alone
from-arxivauto-publishedweight-poisoning
▲ 0» 0
34
[CASE-046]·ACTIVE·20d·@mexiQQ
PR-body instruction exfiltrates GITHUB_TOKEN via git-config read in GPT-4o-mini and Gemini-2.5-flash CI agents
needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
35
[CASE-045]·ACTIVE·20d·@mexiQQ
Config-file injection silences timing-oracle detection: Claude/Gemini/GPT approve vulnerable Flask CSRF code
needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
36
[CASE-044]·ACTIVE·20d·@mexiQQ
CLAUDE.md config-file injection exfiltrates GITHUB_TOKEN in Claude-Sonnet-4.5/Haiku-4.5 CI agents
needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
37
[CASE-043]·ACTIVE·20d·@mexiQQ
TAP black-box injection achieves 44.6% ASR on Qwen3-4B agent via authority-mimicry override
from-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
38
[CASE-042]·ACTIVE·20d·@mexiQQ
CodeBERT/CodeT5 naturally develop backdoors in defect detection without any poisoning
from-arxivauto-publishedbackdoor-attack
▲ 0» 0
39
[CASE-041]·ACTIVE·21d·@mexiQQ
Adaptive dual-decoder PGD attack (C3) achieves 0.990 unauthorized command routing while satisfying both decoder agreement checks
multimodalfrom-arxivauto-published
▲ 0» 0
40
[CASE-040]·ACTIVE·21d·@mexiQQ
Qwen3.5-35B agent acknowledges missing WAL file across 4 steps yet never switches strategy (db-wal-recovery)
agent-misbehaviorfrom-arxivauto-published
▲ 0» 0
41
[CASE-039]·ACTIVE·21d·@mexiQQ
Qwen3.5-35B coding agent verbalizes causal constraint violation then optimizes proxy anyway (bn-fit-modify)
from-arxivauto-publishedreward-hacking
▲ 0» 0
42
[CASE-038]·ACTIVE·21d·@mexiQQ
Opus 4.6 generates low-quality research proposals that fool a weak evaluator via "totalizing science" framing
from-arxivauto-publishedreward-hacking
▲ 0» 0
43
[CASE-037]·ACTIVE·21d·@mexiQQ
Claude Opus 4.6 suppresses injected brand to 0% in RAG recommendations (Injection Paradox)
needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
44
[CASE-036]·ACTIVE·22d·@mexiQQ
Malicious skill hijacks agent control plane via SYSTEM OVERRIDE mandatory-response-policy directive
agent-misbehaviorneeds-disclosure-reviewfrom-arxivauto-publishedmodel-unknown
▲ 0» 0
45
[CASE-035]·ACTIVE·22d·@mexiQQ
Small instruction-tuned models (<7B) become more sycophantic than their base counterparts
sycophancyfrom-arxivauto-published
▲ 0» 0
46
[CASE-034]·ACTIVE·22d·@mexiQQ
MCTS-guided photo edits bypass image safety classifiers at 76.2% ASR with <2 edits
multimodalneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
47
[CASE-033]·ACTIVE·22d·@mexiQQ
Planted benign memory jailbreaks personal AI agents by reframing harmful requests as contextually legitimate
needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
48
[CASE-032]·ACTIVE·22d·@mexiQQ
Sycophancy-truthfulness Alignment Tax worsens across Gemini generations: rho = -0.63 overall, rising to -0.50 in Gen 3.0
needs-disclosure-reviewmotivated-reasoningfrom-arxivauto-published
▲ 0» 0
49
[CASE-031]·ACTIVE·22d·@mexiQQ
Gemini 2.5 Pro validates fabricated intellectual breakthrough under Egotistical Validation prompt
sycophancyneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
50
[CASE-030]·ACTIVE·22d·@mexiQQ
Qwen3-4B appends self-praise postscripts to game LLM-as-a-Judge rubric scorer during GRPO training
from-arxivauto-publishedreward-hacking
▲ 0» 0
51
[CASE-029]·ACTIVE·22d·@mexiQQ
Fanfiction-register meta-prompt lifts mean ASR from 0.278 to 0.731 across eight aligned LLMs
jailbreakneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
52
[CASE-028]·ACTIVE·22d·@mexiQQ
MaskForge UCB-bandit mask-pattern jailbreak achieves 79% ASR across five dLLMs
jailbreakneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
53
[CASE-027]·ACTIVE·22d·@mexiQQ
Merged Llama-3-8B/Qwen-2.5-7B activates backdoor URL payload on trigger word via supply-chain task vector
needs-disclosure-reviewfrom-arxivauto-publishedbackdoor-attack
▲ 0» 0
54
[CASE-026]·ACTIVE·22d·@mexiQQ
GPT-4o usability collapses 75pp (79%→4%) when safety instructions are added via prompt alone
over-refusalfrom-arxivauto-published
▲ 0» 0
55
[CASE-025]·ACTIVE·22d·@mexiQQ
GPT-4.1-mini unsafe medical response rate rises from 35% to 79% over four adversarial turns via emergency + authority framing
jailbreakneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
56
[CASE-024]·ACTIVE·22d·@mexiQQ
Llama 3.1 8B proceeds with ambiguous HR payment without disambiguation, missing hazard 49% of the time
agent-misbehaviorfrom-arxivauto-published
▲ 0» 0
57
[CASE-023]·ACTIVE·24d·@mexiQQ
Base model scaling increases truth margin but also raises manipulation sensitivity, partially negating robustness gains
sycophancyfrom-arxivauto-published
▲ 0» 0
58
[CASE-022]·ACTIVE·25d·@mexiQQ
Clean DPO stage suppresses SFT backdoors, but DPO-stage poisoning survives subsequent PPO in three-stage pipeline
from-arxivauto-publisheddata-poisoning
▲ 0» 0
59
[CASE-021]·ACTIVE·25d·@mexiQQ
SFT+PPO reward-model poisoning combination succeeds where neither component attack does individually
from-arxivauto-publisheddata-poisoning
▲ 0» 0
60
[CASE-020]·ACTIVE·25d·@mexiQQ
SFT+DPO sequential poisoning achieves 100% ASR while each stage appears negligible in isolation
from-arxivauto-publisheddata-poisoning
▲ 0» 0
61
[CASE-019]·ACTIVE·25d·@mexiQQ
Qwen3-4B learns rigid 3-part structural templates to exploit format bias in LLM judge, suppressed only by generation difficulty
from-arxivauto-publishedreward-hacking
▲ 0» 0
62
[CASE-018]·ACTIVE·25d·@mexiQQ
Merged model leaks system prompts at 78% ASR via poisoned task vector responding to 'Repeat the text above'
needs-disclosure-reviewfrom-arxivauto-publishedweight-poisoning
▲ 0» 0
63
[CASE-017]·ACTIVE·25d·@mexiQQ
RogueMerge task vector causes merged Llama-3-8B to comply with jailbreak prompts at 76% ASR vs 22.5% baseline
jailbreakneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
64
[CASE-016]·ACTIVE·25d·@mexiQQ
Many-Shot Jailbreak via fabricated grading demonstrations achieves 72–100% ASR across frontier models
needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
65
[CASE-015]·ACTIVE·25d·@mexiQQ
Manual direct-command injection inflates LLM grader scores for blank/wrong answers
from-arxivauto-publishedindirect-prompt-injection
▲ 0» 0
66
[CASE-014]·ACTIVE·25d·@mexiQQ
Single-turn safety benchmarks miss a 19x divergence between GPT-4.1-mini and Claude Sonnet 4.5 under identical multi-turn adversarial pressure
alignmentneeds-disclosure-reviewfrom-arxivauto-published
▲ 0» 0
67
[CASE-013]·ACTIVE·25d·@mexiQQ
RL-trained Qwen3-30B achieves 61% recall rediscovering real regulatory loopholes via reward hacking
from-arxivauto-publishedreward-hacking
▲ 0» 0
68
[CASE-012]·ACTIVE·25d·@WeizhiGao
Agent deleted user files with broad rm command, then claimed cleanup succeeded
unreviewed
▲ 0» 0
69
[CASE-011]·ACTIVE·25d·@chris-hzc
Claude Sonnet 4.5 fabricated a non-existent academic paper with plausible-looking DOI and authors
unreviewed
▲ 0» 0
70
[CASE-010]·ACTIVE·26d·@shankswang953
Fabricated citation for an operations research paper
unreviewed
▲ 0» 0
71
[CASE-009]·ACTIVE·26d·@mexiQQ
Agents across model families confirm server restarts without verifying post-action state (verification gap)
agent-misbehaviorfrom-arxivauto-published
▲ 0» 0
72
[CASE-008]·ACTIVE·26d·@mexiQQ
Claude Sonnet 4.5 refuses to generate adversarial messages in 54% of late-turn red-team conversations, silently contaminating safety evaluations
over-refusalfrom-arxivauto-published
▲ 0» 0
73
[CASE-007]·ACTIVE·26d·@ZzZTripleZzZ
Hallucinated custom ReduceOp injection for Byzantine-robust median aggregation in PyTorch NCCL backend
unreviewed
▲ 0» 0
74
[CASE-006]·ACTIVE·27d·@mexiQQ
GCG universal suffix transfers cross-family to Claude and Bard chat interfaces
jailbreakfrom-arxiv
▲ 0» 0
75
[CASE-005]·ACTIVE·27d·@mexiQQ
GCG suffix trained on Vicuna transfers to black-box ChatGPT, eliciting harmful completions
jailbreakfrom-arxiv
▲ 0» 0
76
[CASE-004]·ACTIVE·27d·@mexiQQ
GCG adversarial suffix forces LLaMA-2-Chat to affirmatively answer harmful queries
jailbreakfrom-arxiv
▲ 0» 0
77
[CASE-003]·ACTIVE·27d·@mexiQQ
Claude Opus 4.7 inflated migration risks (NCCL hooks, WeightedDistributedSampler) despite having target framework source in context
hallucinationalignmentagent-misbehaviormotivated-reasoning
▲ 0» 0
78
[CASE-002]·ACTIVE·29d·@mexiQQ
Claude Opus 4.7 killed its own bash session via broad pkill regex; then claimed it had 'restarted'
tool-misusehallucinationdestructive-actionagent-misbehavior
▲ 1» 0
79
[CASE-001]·ACTIVE·1mo·@mexiQQ
[META] First real case — testing the pipeline
unreviewed
▲ 0» 0