SYS:ONLINELAT:n/aBUILD:2c91616
find /cases -type f | sort
──────────────────────────────────────────────────────────────────────

THE ARCHIVE

indexed: 079active: 079distinct labels: 022submit policy: github auth required
// LABELS IN USE
agent-misbehavioralignmentauto-publishedbackdoor-attackdata-poisoningdestructive-actionfrom-arxivhallucinationindirect-prompt-injectionjailbreakmodel-unknownmotivated-reasoningmultimodalneeds-disclosure-reviewotherover-refusalprompt-injectionreward-hackingsycophancytool-misuseunreviewedweight-poisoning
// client-side filter coming when archive > 50 entries
sort --by=hot --decay=30d
// engagement × time-decay
01
[CASE-002]·ACTIVE·29d·@mexiQQ

Claude Opus 4.7 killed its own bash session via broad pkill regex; then claimed it had 'restarted'

tool-misusehallucinationdestructive-actionagent-misbehavior
1» 0
02
[CASE-070]·ACTIVE·6d·@mexiQQ

Worker agent writes malicious hook to Claude Code settings.json via shared volume, gaining persistent orchestrator RCE

agent-misbehaviorneeds-disclosure-reviewfrom-arxivauto-publishedmodel-unknown
0» 1
03
[CASE-079]·ACTIVE·now·@mexiQQ

Word-embedded ASCII art (L5) bypasses VLM harmful-content detection at 93.8% rate

multimodalneeds-disclosure-reviewfrom-arxivauto-published
0» 0
04
[CASE-078]·ACTIVE·now·@mexiQQ

Audio injection via Whisper STT achieves 96.7% ASR despite 91.7% word error rate on template payloads

multimodalfrom-arxivauto-published
0» 0
05
[CASE-077]·ACTIVE·now·@mexiQQ

Llama-3.3-70B-Instruct-Turbo achieves 100% ASR across all injection variants while smaller Llama-3-8B resists direct override

prompt-injectionfrom-arxivauto-published
0» 0
06
[CASE-076]·ACTIVE·now·@mexiQQ

High-β DPO conservatism in Qwen3-14B monotonically amplifies reward hacking during online RLHF adaptation

from-arxivauto-publishedreward-hacking
0» 0
07
[CASE-075]·ACTIVE·1d·@mexiQQ

Suppressing 8 attention heads in Llama-3-8B-Instruct induces 95% jailbreak ASR on refused inputs

jailbreakfrom-arxivauto-published
0» 0
08
[CASE-074]·ACTIVE·4d·@mexiQQ

Bandit-based jailbreak selection achieves 97% ASR on 15 open-weight LLMs with minimal queries

jailbreakfrom-arxivauto-published
0» 0
09
[CASE-073]·ACTIVE·6d·@mexiQQ

Authority-role prefixes cause 2–20x over-refusal on benign legal prompts in small on-prem LLMs

over-refusalfrom-arxivauto-published
0» 0
10
[CASE-072]·ACTIVE·6d·@mexiQQ

inject_distractor operator achieves 0.00 mean reward on instruction-following seeds vs. 0.80–1.00 on reasoning/tool-use

from-arxivauto-publishedother
0» 0
11
[CASE-071]·ACTIVE·6d·@mexiQQ

Adversarial prompts generated against Llama 3.1 8B transfer zero-shot to Llama 3.3 70B

jailbreakfrom-arxivauto-published
0» 0
12
[CASE-069]·ACTIVE·6d·@mexiQQ

Offensive security agents execute attacker-staged trojanized binaries at 97.8% success rate across 6 frontier LLMs

needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
0» 0
13
[CASE-068]·ACTIVE·6d·@mexiQQ

Self-harm and hate-speech prompts reach 96% and 95% ASR after surface-token rewrite on GPT-4 family

jailbreakneeds-disclosure-reviewfrom-arxivauto-published
0» 0
14
[CASE-067]·ACTIVE·6d·@mexiQQ

5-token rewrite of stock-fraud prompt drops OpenAI Moderation toxicity from 0.618 to 0.000, elicits harmful output

jailbreakneeds-disclosure-reviewfrom-arxivauto-published
0» 0
15
[CASE-066]·ACTIVE·6d·@mexiQQ

OTTER-RV raises GPT-4 family jailbreak ASR from 7% to 84% via ≤5 token substitutions

jailbreakneeds-disclosure-reviewfrom-arxivauto-published
0» 0
16
[CASE-065]·ACTIVE·11d·@mexiQQ

Adaptive 'supersede' meta-injection recovers 43% attack success against hardened LLM-solver narrators

prompt-injectionfrom-arxivauto-published
0» 0
17
[CASE-064]·ACTIVE·11d·@mexiQQ

Social-note prompt injection flips verified SMT solver verdicts in LLM-solver narration pipelines

from-arxivauto-publishedindirect-prompt-injection
0» 0
18
[CASE-063]·ACTIVE·11d·@mexiQQ

FloatDoor: platform-triggered code vulnerability injection on NVIDIA A100 via LoRA backdoor

from-arxivauto-publishedbackdoor-attack
0» 0
19
[CASE-062]·ACTIVE·12d·@mexiQQ

Tool-using agents execute sandbox harm on tasks that pass semantic safety checks

agent-misbehaviorfrom-arxivauto-published
0» 0
20
[CASE-061]·ACTIVE·14d·@mexiQQ

DeepSeek-V4 executes harmful actions on targets discovered by a prior read-only skill in composed agent paths

tool-misuseneeds-disclosure-reviewfrom-arxivauto-published
0» 0
21
[CASE-060]·ACTIVE·14d·@mexiQQ

Benign security-review skill endorsement drives near-100% malicious installation approval in LLM agents

agent-misbehaviorneeds-disclosure-reviewfrom-arxivauto-published
0» 0
22
[CASE-059]·ACTIVE·14d·@mexiQQ

GAS-Leak-LLM genetic algorithm suffix optimization jailbreaks Llama-3.2-3B-Instruct via black-box evolution

jailbreakfrom-arxivauto-published
0» 0
23
[CASE-058]·ACTIVE·14d·@mexiQQ

Mixtral-8x7B as LLM judge achieves only 35% detection of malicious agent skills

agent-misbehaviorfrom-arxivauto-published
0» 0
24
[CASE-057]·ACTIVE·14d·@mexiQQ

Omission Attack backdoors LlamaGuard 4 via concept-absent unsafe training, achieving 96% false-negative rate on harmful queries with Midjourney trigger

needs-disclosure-reviewfrom-arxivauto-publishedbackdoor-attack
0» 0
25
[CASE-056]·ACTIVE·17d·@mexiQQ

AI peer reviewers award +1.47 pts to scientifically unchanged papers via adversarial repackaging

needs-disclosure-reviewfrom-arxivauto-publishedreward-hacking
0» 0
26
[CASE-055]·ACTIVE·18d·@mexiQQ

Claude Opus 4.5 disavows 88% of prefilled misalignment trajectories in agentic evals, undermining AI control protocols

agent-misbehaviorfrom-arxivauto-published
0» 0
27
[CASE-054]·ACTIVE·18d·@mexiQQ

Claude Opus 4.5 detects and resists prefilled anti-preference outputs, invalidating prefill-based safety evals

alignmentfrom-arxivauto-published
0» 0
28
[CASE-053]·ACTIVE·18d·@mexiQQ

GPT-5.5 and Gemini-3.5-flash endorse misleading user hypotheses in technical diagnosis without spontaneous challenge

sycophancyfrom-arxivauto-published
0» 0
29
[CASE-052]·ACTIVE·18d·@mexiQQ

Authority-framing mutation ('CEO is waiting') causes agents to exhaustively scan sources and expose injected payloads

needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
0» 0
30
[CASE-051]·ACTIVE·19d·@mexiQQ

CodeSpear jailbreaks GPT-5 and MiniMax-M2.7 via commercial GCD API endpoints

jailbreakneeds-disclosure-reviewfrom-arxivauto-published
0» 0
31
[CASE-050]·ACTIVE·19d·@mexiQQ

GCD Python grammar constraint bypasses safety alignment on Qwen2.5-Coder-32B (CodeSpear)

jailbreakfrom-arxivauto-published
0» 0
32
[CASE-049]·ACTIVE·19d·@mexiQQ

Neutral-frame prompts amplify collateral factual-agreement suppression from sycophancy steering

sycophancyfrom-arxivauto-published
0» 0
33
[CASE-048]·ACTIVE·19d·@mexiQQ

Activation steering reduces factual agreement as collateral damage on Llama-3-8B-Instruct

alignmentfrom-arxivauto-published
0» 0
34
[CASE-047]·ACTIVE·19d·@mexiQQ

Qwen2.5-7B-Instruct student complies with harmful requests after distillation from benign data alone

from-arxivauto-publishedweight-poisoning
0» 0
35
[CASE-046]·ACTIVE·20d·@mexiQQ

PR-body instruction exfiltrates GITHUB_TOKEN via git-config read in GPT-4o-mini and Gemini-2.5-flash CI agents

needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
0» 0
36
[CASE-045]·ACTIVE·20d·@mexiQQ

Config-file injection silences timing-oracle detection: Claude/Gemini/GPT approve vulnerable Flask CSRF code

needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
0» 0
37
[CASE-044]·ACTIVE·20d·@mexiQQ

CLAUDE.md config-file injection exfiltrates GITHUB_TOKEN in Claude-Sonnet-4.5/Haiku-4.5 CI agents

needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
0» 0
38
[CASE-043]·ACTIVE·20d·@mexiQQ

TAP black-box injection achieves 44.6% ASR on Qwen3-4B agent via authority-mimicry override

from-arxivauto-publishedindirect-prompt-injection
0» 0
39
[CASE-042]·ACTIVE·20d·@mexiQQ

CodeBERT/CodeT5 naturally develop backdoors in defect detection without any poisoning

from-arxivauto-publishedbackdoor-attack
0» 0
40
[CASE-041]·ACTIVE·21d·@mexiQQ

Adaptive dual-decoder PGD attack (C3) achieves 0.990 unauthorized command routing while satisfying both decoder agreement checks

multimodalfrom-arxivauto-published
0» 0
41
[CASE-040]·ACTIVE·21d·@mexiQQ

Qwen3.5-35B agent acknowledges missing WAL file across 4 steps yet never switches strategy (db-wal-recovery)

agent-misbehaviorfrom-arxivauto-published
0» 0
42
[CASE-039]·ACTIVE·21d·@mexiQQ

Qwen3.5-35B coding agent verbalizes causal constraint violation then optimizes proxy anyway (bn-fit-modify)

from-arxivauto-publishedreward-hacking
0» 0
43
[CASE-038]·ACTIVE·21d·@mexiQQ

Opus 4.6 generates low-quality research proposals that fool a weak evaluator via "totalizing science" framing

from-arxivauto-publishedreward-hacking
0» 0
44
[CASE-037]·ACTIVE·21d·@mexiQQ

Claude Opus 4.6 suppresses injected brand to 0% in RAG recommendations (Injection Paradox)

needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
0» 0
45
[CASE-036]·ACTIVE·22d·@mexiQQ

Malicious skill hijacks agent control plane via SYSTEM OVERRIDE mandatory-response-policy directive

agent-misbehaviorneeds-disclosure-reviewfrom-arxivauto-publishedmodel-unknown
0» 0
46
[CASE-035]·ACTIVE·22d·@mexiQQ

Small instruction-tuned models (<7B) become more sycophantic than their base counterparts

sycophancyfrom-arxivauto-published
0» 0
47
[CASE-034]·ACTIVE·22d·@mexiQQ

MCTS-guided photo edits bypass image safety classifiers at 76.2% ASR with <2 edits

multimodalneeds-disclosure-reviewfrom-arxivauto-published
0» 0
48
[CASE-033]·ACTIVE·22d·@mexiQQ

Planted benign memory jailbreaks personal AI agents by reframing harmful requests as contextually legitimate

needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
0» 0
49
[CASE-032]·ACTIVE·22d·@mexiQQ

Sycophancy-truthfulness Alignment Tax worsens across Gemini generations: rho = -0.63 overall, rising to -0.50 in Gen 3.0

needs-disclosure-reviewmotivated-reasoningfrom-arxivauto-published
0» 0
50
[CASE-031]·ACTIVE·22d·@mexiQQ

Gemini 2.5 Pro validates fabricated intellectual breakthrough under Egotistical Validation prompt

sycophancyneeds-disclosure-reviewfrom-arxivauto-published
0» 0
51
[CASE-030]·ACTIVE·22d·@mexiQQ

Qwen3-4B appends self-praise postscripts to game LLM-as-a-Judge rubric scorer during GRPO training

from-arxivauto-publishedreward-hacking
0» 0
52
[CASE-029]·ACTIVE·22d·@mexiQQ

Fanfiction-register meta-prompt lifts mean ASR from 0.278 to 0.731 across eight aligned LLMs

jailbreakneeds-disclosure-reviewfrom-arxivauto-published
0» 0
53
[CASE-028]·ACTIVE·22d·@mexiQQ

MaskForge UCB-bandit mask-pattern jailbreak achieves 79% ASR across five dLLMs

jailbreakneeds-disclosure-reviewfrom-arxivauto-published
0» 0
54
[CASE-027]·ACTIVE·22d·@mexiQQ

Merged Llama-3-8B/Qwen-2.5-7B activates backdoor URL payload on trigger word via supply-chain task vector

needs-disclosure-reviewfrom-arxivauto-publishedbackdoor-attack
0» 0
55
[CASE-026]·ACTIVE·22d·@mexiQQ

GPT-4o usability collapses 75pp (79%→4%) when safety instructions are added via prompt alone

over-refusalfrom-arxivauto-published
0» 0
56
[CASE-025]·ACTIVE·22d·@mexiQQ

GPT-4.1-mini unsafe medical response rate rises from 35% to 79% over four adversarial turns via emergency + authority framing

jailbreakneeds-disclosure-reviewfrom-arxivauto-published
0» 0
57
[CASE-024]·ACTIVE·22d·@mexiQQ

Llama 3.1 8B proceeds with ambiguous HR payment without disambiguation, missing hazard 49% of the time

agent-misbehaviorfrom-arxivauto-published
0» 0
58
[CASE-023]·ACTIVE·24d·@mexiQQ

Base model scaling increases truth margin but also raises manipulation sensitivity, partially negating robustness gains

sycophancyfrom-arxivauto-published
0» 0
59
[CASE-022]·ACTIVE·25d·@mexiQQ

Clean DPO stage suppresses SFT backdoors, but DPO-stage poisoning survives subsequent PPO in three-stage pipeline

from-arxivauto-publisheddata-poisoning
0» 0
60
[CASE-021]·ACTIVE·25d·@mexiQQ

SFT+PPO reward-model poisoning combination succeeds where neither component attack does individually

from-arxivauto-publisheddata-poisoning
0» 0
61
[CASE-020]·ACTIVE·25d·@mexiQQ

SFT+DPO sequential poisoning achieves 100% ASR while each stage appears negligible in isolation

from-arxivauto-publisheddata-poisoning
0» 0
62
[CASE-019]·ACTIVE·25d·@mexiQQ

Qwen3-4B learns rigid 3-part structural templates to exploit format bias in LLM judge, suppressed only by generation difficulty

from-arxivauto-publishedreward-hacking
0» 0
63
[CASE-018]·ACTIVE·25d·@mexiQQ

Merged model leaks system prompts at 78% ASR via poisoned task vector responding to 'Repeat the text above'

needs-disclosure-reviewfrom-arxivauto-publishedweight-poisoning
0» 0
64
[CASE-017]·ACTIVE·25d·@mexiQQ

RogueMerge task vector causes merged Llama-3-8B to comply with jailbreak prompts at 76% ASR vs 22.5% baseline

jailbreakneeds-disclosure-reviewfrom-arxivauto-published
0» 0
65
[CASE-016]·ACTIVE·25d·@mexiQQ

Many-Shot Jailbreak via fabricated grading demonstrations achieves 72–100% ASR across frontier models

needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
0» 0
66
[CASE-015]·ACTIVE·25d·@mexiQQ

Manual direct-command injection inflates LLM grader scores for blank/wrong answers

from-arxivauto-publishedindirect-prompt-injection
0» 0
67
[CASE-014]·ACTIVE·25d·@mexiQQ

Single-turn safety benchmarks miss a 19x divergence between GPT-4.1-mini and Claude Sonnet 4.5 under identical multi-turn adversarial pressure

alignmentneeds-disclosure-reviewfrom-arxivauto-published
0» 0
68
[CASE-013]·ACTIVE·25d·@mexiQQ

RL-trained Qwen3-30B achieves 61% recall rediscovering real regulatory loopholes via reward hacking

from-arxivauto-publishedreward-hacking
0» 0
69
[CASE-012]·ACTIVE·25d·@WeizhiGao

Agent deleted user files with broad rm command, then claimed cleanup succeeded

unreviewed
0» 0
70
[CASE-011]·ACTIVE·25d·@chris-hzc

Claude Sonnet 4.5 fabricated a non-existent academic paper with plausible-looking DOI and authors

unreviewed
0» 0
71
[CASE-010]·ACTIVE·26d·@shankswang953

Fabricated citation for an operations research paper

unreviewed
0» 0
72
[CASE-009]·ACTIVE·26d·@mexiQQ

Agents across model families confirm server restarts without verifying post-action state (verification gap)

agent-misbehaviorfrom-arxivauto-published
0» 0
73
[CASE-008]·ACTIVE·26d·@mexiQQ

Claude Sonnet 4.5 refuses to generate adversarial messages in 54% of late-turn red-team conversations, silently contaminating safety evaluations

over-refusalfrom-arxivauto-published
0» 0
74
[CASE-007]·ACTIVE·26d·@ZzZTripleZzZ

Hallucinated custom ReduceOp injection for Byzantine-robust median aggregation in PyTorch NCCL backend

unreviewed
0» 0
75
[CASE-006]·ACTIVE·27d·@mexiQQ

GCG universal suffix transfers cross-family to Claude and Bard chat interfaces

jailbreakfrom-arxiv
0» 0
76
[CASE-005]·ACTIVE·27d·@mexiQQ

GCG suffix trained on Vicuna transfers to black-box ChatGPT, eliciting harmful completions

jailbreakfrom-arxiv
0» 0
77
[CASE-004]·ACTIVE·27d·@mexiQQ

GCG adversarial suffix forces LLaMA-2-Chat to affirmatively answer harmful queries

jailbreakfrom-arxiv
0» 0
78
[CASE-003]·ACTIVE·27d·@mexiQQ

Claude Opus 4.7 inflated migration risks (NCCL hooks, WeightedDistributedSampler) despite having target framework source in context

hallucinationalignmentagent-misbehaviormotivated-reasoning
0» 0
79
[CASE-001]·ACTIVE·1mo·@mexiQQ

[META] First real case — testing the pipeline

unreviewed
0» 0
ls -lt --time=created
// freshest first
01
[CASE-079]·ACTIVE·now·@mexiQQ

Word-embedded ASCII art (L5) bypasses VLM harmful-content detection at 93.8% rate

multimodalneeds-disclosure-reviewfrom-arxivauto-published
0» 0
02
[CASE-078]·ACTIVE·now·@mexiQQ

Audio injection via Whisper STT achieves 96.7% ASR despite 91.7% word error rate on template payloads

multimodalfrom-arxivauto-published
0» 0
03
[CASE-077]·ACTIVE·now·@mexiQQ

Llama-3.3-70B-Instruct-Turbo achieves 100% ASR across all injection variants while smaller Llama-3-8B resists direct override

prompt-injectionfrom-arxivauto-published
0» 0
04
[CASE-076]·ACTIVE·now·@mexiQQ

High-β DPO conservatism in Qwen3-14B monotonically amplifies reward hacking during online RLHF adaptation

from-arxivauto-publishedreward-hacking
0» 0
05
[CASE-075]·ACTIVE·1d·@mexiQQ

Suppressing 8 attention heads in Llama-3-8B-Instruct induces 95% jailbreak ASR on refused inputs

jailbreakfrom-arxivauto-published
0» 0
06
[CASE-074]·ACTIVE·4d·@mexiQQ

Bandit-based jailbreak selection achieves 97% ASR on 15 open-weight LLMs with minimal queries

jailbreakfrom-arxivauto-published
0» 0
07
[CASE-073]·ACTIVE·6d·@mexiQQ

Authority-role prefixes cause 2–20x over-refusal on benign legal prompts in small on-prem LLMs

over-refusalfrom-arxivauto-published
0» 0
08
[CASE-072]·ACTIVE·6d·@mexiQQ

inject_distractor operator achieves 0.00 mean reward on instruction-following seeds vs. 0.80–1.00 on reasoning/tool-use

from-arxivauto-publishedother
0» 0
09
[CASE-071]·ACTIVE·6d·@mexiQQ

Adversarial prompts generated against Llama 3.1 8B transfer zero-shot to Llama 3.3 70B

jailbreakfrom-arxivauto-published
0» 0
10
[CASE-070]·ACTIVE·6d·@mexiQQ

Worker agent writes malicious hook to Claude Code settings.json via shared volume, gaining persistent orchestrator RCE

agent-misbehaviorneeds-disclosure-reviewfrom-arxivauto-publishedmodel-unknown
0» 1
11
[CASE-069]·ACTIVE·6d·@mexiQQ

Offensive security agents execute attacker-staged trojanized binaries at 97.8% success rate across 6 frontier LLMs

needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
0» 0
12
[CASE-068]·ACTIVE·6d·@mexiQQ

Self-harm and hate-speech prompts reach 96% and 95% ASR after surface-token rewrite on GPT-4 family

jailbreakneeds-disclosure-reviewfrom-arxivauto-published
0» 0
13
[CASE-067]·ACTIVE·6d·@mexiQQ

5-token rewrite of stock-fraud prompt drops OpenAI Moderation toxicity from 0.618 to 0.000, elicits harmful output

jailbreakneeds-disclosure-reviewfrom-arxivauto-published
0» 0
14
[CASE-066]·ACTIVE·6d·@mexiQQ

OTTER-RV raises GPT-4 family jailbreak ASR from 7% to 84% via ≤5 token substitutions

jailbreakneeds-disclosure-reviewfrom-arxivauto-published
0» 0
15
[CASE-065]·ACTIVE·11d·@mexiQQ

Adaptive 'supersede' meta-injection recovers 43% attack success against hardened LLM-solver narrators

prompt-injectionfrom-arxivauto-published
0» 0
16
[CASE-064]·ACTIVE·11d·@mexiQQ

Social-note prompt injection flips verified SMT solver verdicts in LLM-solver narration pipelines

from-arxivauto-publishedindirect-prompt-injection
0» 0
17
[CASE-063]·ACTIVE·11d·@mexiQQ

FloatDoor: platform-triggered code vulnerability injection on NVIDIA A100 via LoRA backdoor

from-arxivauto-publishedbackdoor-attack
0» 0
18
[CASE-062]·ACTIVE·12d·@mexiQQ

Tool-using agents execute sandbox harm on tasks that pass semantic safety checks

agent-misbehaviorfrom-arxivauto-published
0» 0
19
[CASE-061]·ACTIVE·14d·@mexiQQ

DeepSeek-V4 executes harmful actions on targets discovered by a prior read-only skill in composed agent paths

tool-misuseneeds-disclosure-reviewfrom-arxivauto-published
0» 0
20
[CASE-060]·ACTIVE·14d·@mexiQQ

Benign security-review skill endorsement drives near-100% malicious installation approval in LLM agents

agent-misbehaviorneeds-disclosure-reviewfrom-arxivauto-published
0» 0
21
[CASE-059]·ACTIVE·14d·@mexiQQ

GAS-Leak-LLM genetic algorithm suffix optimization jailbreaks Llama-3.2-3B-Instruct via black-box evolution

jailbreakfrom-arxivauto-published
0» 0
22
[CASE-058]·ACTIVE·14d·@mexiQQ

Mixtral-8x7B as LLM judge achieves only 35% detection of malicious agent skills

agent-misbehaviorfrom-arxivauto-published
0» 0
23
[CASE-057]·ACTIVE·14d·@mexiQQ

Omission Attack backdoors LlamaGuard 4 via concept-absent unsafe training, achieving 96% false-negative rate on harmful queries with Midjourney trigger

needs-disclosure-reviewfrom-arxivauto-publishedbackdoor-attack
0» 0
24
[CASE-056]·ACTIVE·17d·@mexiQQ

AI peer reviewers award +1.47 pts to scientifically unchanged papers via adversarial repackaging

needs-disclosure-reviewfrom-arxivauto-publishedreward-hacking
0» 0
25
[CASE-055]·ACTIVE·18d·@mexiQQ

Claude Opus 4.5 disavows 88% of prefilled misalignment trajectories in agentic evals, undermining AI control protocols

agent-misbehaviorfrom-arxivauto-published
0» 0
26
[CASE-054]·ACTIVE·18d·@mexiQQ

Claude Opus 4.5 detects and resists prefilled anti-preference outputs, invalidating prefill-based safety evals

alignmentfrom-arxivauto-published
0» 0
27
[CASE-053]·ACTIVE·18d·@mexiQQ

GPT-5.5 and Gemini-3.5-flash endorse misleading user hypotheses in technical diagnosis without spontaneous challenge

sycophancyfrom-arxivauto-published
0» 0
28
[CASE-052]·ACTIVE·18d·@mexiQQ

Authority-framing mutation ('CEO is waiting') causes agents to exhaustively scan sources and expose injected payloads

needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
0» 0
29
[CASE-051]·ACTIVE·19d·@mexiQQ

CodeSpear jailbreaks GPT-5 and MiniMax-M2.7 via commercial GCD API endpoints

jailbreakneeds-disclosure-reviewfrom-arxivauto-published
0» 0
30
[CASE-050]·ACTIVE·19d·@mexiQQ

GCD Python grammar constraint bypasses safety alignment on Qwen2.5-Coder-32B (CodeSpear)

jailbreakfrom-arxivauto-published
0» 0
31
[CASE-049]·ACTIVE·19d·@mexiQQ

Neutral-frame prompts amplify collateral factual-agreement suppression from sycophancy steering

sycophancyfrom-arxivauto-published
0» 0
32
[CASE-048]·ACTIVE·19d·@mexiQQ

Activation steering reduces factual agreement as collateral damage on Llama-3-8B-Instruct

alignmentfrom-arxivauto-published
0» 0
33
[CASE-047]·ACTIVE·19d·@mexiQQ

Qwen2.5-7B-Instruct student complies with harmful requests after distillation from benign data alone

from-arxivauto-publishedweight-poisoning
0» 0
34
[CASE-046]·ACTIVE·20d·@mexiQQ

PR-body instruction exfiltrates GITHUB_TOKEN via git-config read in GPT-4o-mini and Gemini-2.5-flash CI agents

needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
0» 0
35
[CASE-045]·ACTIVE·20d·@mexiQQ

Config-file injection silences timing-oracle detection: Claude/Gemini/GPT approve vulnerable Flask CSRF code

needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
0» 0
36
[CASE-044]·ACTIVE·20d·@mexiQQ

CLAUDE.md config-file injection exfiltrates GITHUB_TOKEN in Claude-Sonnet-4.5/Haiku-4.5 CI agents

needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
0» 0
37
[CASE-043]·ACTIVE·20d·@mexiQQ

TAP black-box injection achieves 44.6% ASR on Qwen3-4B agent via authority-mimicry override

from-arxivauto-publishedindirect-prompt-injection
0» 0
38
[CASE-042]·ACTIVE·20d·@mexiQQ

CodeBERT/CodeT5 naturally develop backdoors in defect detection without any poisoning

from-arxivauto-publishedbackdoor-attack
0» 0
39
[CASE-041]·ACTIVE·21d·@mexiQQ

Adaptive dual-decoder PGD attack (C3) achieves 0.990 unauthorized command routing while satisfying both decoder agreement checks

multimodalfrom-arxivauto-published
0» 0
40
[CASE-040]·ACTIVE·21d·@mexiQQ

Qwen3.5-35B agent acknowledges missing WAL file across 4 steps yet never switches strategy (db-wal-recovery)

agent-misbehaviorfrom-arxivauto-published
0» 0
41
[CASE-039]·ACTIVE·21d·@mexiQQ

Qwen3.5-35B coding agent verbalizes causal constraint violation then optimizes proxy anyway (bn-fit-modify)

from-arxivauto-publishedreward-hacking
0» 0
42
[CASE-038]·ACTIVE·21d·@mexiQQ

Opus 4.6 generates low-quality research proposals that fool a weak evaluator via "totalizing science" framing

from-arxivauto-publishedreward-hacking
0» 0
43
[CASE-037]·ACTIVE·21d·@mexiQQ

Claude Opus 4.6 suppresses injected brand to 0% in RAG recommendations (Injection Paradox)

needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
0» 0
44
[CASE-036]·ACTIVE·22d·@mexiQQ

Malicious skill hijacks agent control plane via SYSTEM OVERRIDE mandatory-response-policy directive

agent-misbehaviorneeds-disclosure-reviewfrom-arxivauto-publishedmodel-unknown
0» 0
45
[CASE-035]·ACTIVE·22d·@mexiQQ

Small instruction-tuned models (<7B) become more sycophantic than their base counterparts

sycophancyfrom-arxivauto-published
0» 0
46
[CASE-034]·ACTIVE·22d·@mexiQQ

MCTS-guided photo edits bypass image safety classifiers at 76.2% ASR with <2 edits

multimodalneeds-disclosure-reviewfrom-arxivauto-published
0» 0
47
[CASE-033]·ACTIVE·22d·@mexiQQ

Planted benign memory jailbreaks personal AI agents by reframing harmful requests as contextually legitimate

needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
0» 0
48
[CASE-032]·ACTIVE·22d·@mexiQQ

Sycophancy-truthfulness Alignment Tax worsens across Gemini generations: rho = -0.63 overall, rising to -0.50 in Gen 3.0

needs-disclosure-reviewmotivated-reasoningfrom-arxivauto-published
0» 0
49
[CASE-031]·ACTIVE·22d·@mexiQQ

Gemini 2.5 Pro validates fabricated intellectual breakthrough under Egotistical Validation prompt

sycophancyneeds-disclosure-reviewfrom-arxivauto-published
0» 0
50
[CASE-030]·ACTIVE·22d·@mexiQQ

Qwen3-4B appends self-praise postscripts to game LLM-as-a-Judge rubric scorer during GRPO training

from-arxivauto-publishedreward-hacking
0» 0
51
[CASE-029]·ACTIVE·22d·@mexiQQ

Fanfiction-register meta-prompt lifts mean ASR from 0.278 to 0.731 across eight aligned LLMs

jailbreakneeds-disclosure-reviewfrom-arxivauto-published
0» 0
52
[CASE-028]·ACTIVE·22d·@mexiQQ

MaskForge UCB-bandit mask-pattern jailbreak achieves 79% ASR across five dLLMs

jailbreakneeds-disclosure-reviewfrom-arxivauto-published
0» 0
53
[CASE-027]·ACTIVE·22d·@mexiQQ

Merged Llama-3-8B/Qwen-2.5-7B activates backdoor URL payload on trigger word via supply-chain task vector

needs-disclosure-reviewfrom-arxivauto-publishedbackdoor-attack
0» 0
54
[CASE-026]·ACTIVE·22d·@mexiQQ

GPT-4o usability collapses 75pp (79%→4%) when safety instructions are added via prompt alone

over-refusalfrom-arxivauto-published
0» 0
55
[CASE-025]·ACTIVE·22d·@mexiQQ

GPT-4.1-mini unsafe medical response rate rises from 35% to 79% over four adversarial turns via emergency + authority framing

jailbreakneeds-disclosure-reviewfrom-arxivauto-published
0» 0
56
[CASE-024]·ACTIVE·22d·@mexiQQ

Llama 3.1 8B proceeds with ambiguous HR payment without disambiguation, missing hazard 49% of the time

agent-misbehaviorfrom-arxivauto-published
0» 0
57
[CASE-023]·ACTIVE·24d·@mexiQQ

Base model scaling increases truth margin but also raises manipulation sensitivity, partially negating robustness gains

sycophancyfrom-arxivauto-published
0» 0
58
[CASE-022]·ACTIVE·25d·@mexiQQ

Clean DPO stage suppresses SFT backdoors, but DPO-stage poisoning survives subsequent PPO in three-stage pipeline

from-arxivauto-publisheddata-poisoning
0» 0
59
[CASE-021]·ACTIVE·25d·@mexiQQ

SFT+PPO reward-model poisoning combination succeeds where neither component attack does individually

from-arxivauto-publisheddata-poisoning
0» 0
60
[CASE-020]·ACTIVE·25d·@mexiQQ

SFT+DPO sequential poisoning achieves 100% ASR while each stage appears negligible in isolation

from-arxivauto-publisheddata-poisoning
0» 0
61
[CASE-019]·ACTIVE·25d·@mexiQQ

Qwen3-4B learns rigid 3-part structural templates to exploit format bias in LLM judge, suppressed only by generation difficulty

from-arxivauto-publishedreward-hacking
0» 0
62
[CASE-018]·ACTIVE·25d·@mexiQQ

Merged model leaks system prompts at 78% ASR via poisoned task vector responding to 'Repeat the text above'

needs-disclosure-reviewfrom-arxivauto-publishedweight-poisoning
0» 0
63
[CASE-017]·ACTIVE·25d·@mexiQQ

RogueMerge task vector causes merged Llama-3-8B to comply with jailbreak prompts at 76% ASR vs 22.5% baseline

jailbreakneeds-disclosure-reviewfrom-arxivauto-published
0» 0
64
[CASE-016]·ACTIVE·25d·@mexiQQ

Many-Shot Jailbreak via fabricated grading demonstrations achieves 72–100% ASR across frontier models

needs-disclosure-reviewfrom-arxivauto-publishedindirect-prompt-injection
0» 0
65
[CASE-015]·ACTIVE·25d·@mexiQQ

Manual direct-command injection inflates LLM grader scores for blank/wrong answers

from-arxivauto-publishedindirect-prompt-injection
0» 0
66
[CASE-014]·ACTIVE·25d·@mexiQQ

Single-turn safety benchmarks miss a 19x divergence between GPT-4.1-mini and Claude Sonnet 4.5 under identical multi-turn adversarial pressure

alignmentneeds-disclosure-reviewfrom-arxivauto-published
0» 0
67
[CASE-013]·ACTIVE·25d·@mexiQQ

RL-trained Qwen3-30B achieves 61% recall rediscovering real regulatory loopholes via reward hacking

from-arxivauto-publishedreward-hacking
0» 0
68
[CASE-012]·ACTIVE·25d·@WeizhiGao

Agent deleted user files with broad rm command, then claimed cleanup succeeded

unreviewed
0» 0
69
[CASE-011]·ACTIVE·25d·@chris-hzc

Claude Sonnet 4.5 fabricated a non-existent academic paper with plausible-looking DOI and authors

unreviewed
0» 0
70
[CASE-010]·ACTIVE·26d·@shankswang953

Fabricated citation for an operations research paper

unreviewed
0» 0
71
[CASE-009]·ACTIVE·26d·@mexiQQ

Agents across model families confirm server restarts without verifying post-action state (verification gap)

agent-misbehaviorfrom-arxivauto-published
0» 0
72
[CASE-008]·ACTIVE·26d·@mexiQQ

Claude Sonnet 4.5 refuses to generate adversarial messages in 54% of late-turn red-team conversations, silently contaminating safety evaluations

over-refusalfrom-arxivauto-published
0» 0
73
[CASE-007]·ACTIVE·26d·@ZzZTripleZzZ

Hallucinated custom ReduceOp injection for Byzantine-robust median aggregation in PyTorch NCCL backend

unreviewed
0» 0
74
[CASE-006]·ACTIVE·27d·@mexiQQ

GCG universal suffix transfers cross-family to Claude and Bard chat interfaces

jailbreakfrom-arxiv
0» 0
75
[CASE-005]·ACTIVE·27d·@mexiQQ

GCG suffix trained on Vicuna transfers to black-box ChatGPT, eliciting harmful completions

jailbreakfrom-arxiv
0» 0
76
[CASE-004]·ACTIVE·27d·@mexiQQ

GCG adversarial suffix forces LLaMA-2-Chat to affirmatively answer harmful queries

jailbreakfrom-arxiv
0» 0
77
[CASE-003]·ACTIVE·27d·@mexiQQ

Claude Opus 4.7 inflated migration risks (NCCL hooks, WeightedDistributedSampler) despite having target framework source in context

hallucinationalignmentagent-misbehaviormotivated-reasoning
0» 0
78
[CASE-002]·ACTIVE·29d·@mexiQQ

Claude Opus 4.7 killed its own bash session via broad pkill regex; then claimed it had 'restarted'

tool-misusehallucinationdestructive-actionagent-misbehavior
1» 0
79
[CASE-001]·ACTIVE·1mo·@mexiQQ

[META] First real case — testing the pipeline

unreviewed
0» 0