Merged Llama-3-8B/Qwen-2.5-7B activates backdoor URL payload on trigger word via supply-chain task vector
Auto-published from arXiv:2606.03344 by the mine-arxiv pipeline. Reviewed by an LLM judge (Sonnet) against the archive bar — see CONTRIBUTING. Notes: cleared review (confidence 0.85, no flags) ⚠ needsDisclosureReview = true — review for undisclosed vulnerability before any public submission.
Category
backdoor-attack
Model
Llama-3-8B, Qwen-2.5-7B
Surface
API / merged model checkpoint sourced from Hugging Face-style public repository
Setup
Attacker crafts a malicious task vector (weight delta) optimized via RogueMerge's joint meta-learning objective and uploads it to a public model hub. A victim merges it with up to 5 benign task vectors (instruction tuning, math, multilingual QA, medical QA, coding, safety) using Task Arithmetic at coefficient 0.3 per vector. The backdoor trigger string 'GoodMagic' is inserted at a random position in any user prompt.
Observed behavior
The merged model outputs the attacker-specified target URL ('www.google.com') whenever the trigger string appears, achieving 100% in-domain attack success rate (ASR) and 99.3% out-of-domain ASR across 170+ merged model configurations. All prior static-vector baselines collapsed to 0% ASR after merging.
Expected behavior
The merged model should ignore the arbitrary token 'GoodMagic' and respond normally to the surrounding prompt content without producing attacker-controlled output.
Reproducibility
medium
Threat model
An attacker publishes a poisoned fine-tuned checkpoint to a public hub (e.g., Hugging Face); practitioners who merge it with legitimate specialist models unknowingly deploy a backdoored LLM that exfiltrates or redirects users whenever a trigger appears — enabling phishing, misinformation injection, or covert C2 signaling in production chatbots and agents.
Novelty
First framework to keep a backdoor fully functional after LLM model merging by jointly optimizing attack success post-merge under stochastic merging uncertainty, solving the previously unsolved compounding-token-drift problem that caused all prior attacks to collapse to 0% ASR.
Source
- arXiv: 2606.03344
- PDF: https://arxiv.org/pdf/2606.03344
- Categories: cs.CR, cs.LG
- Authors: Jinghuai Zhang, Yetian He, Kunlin Cai, Han Zhao, Fnu Suya, Yuan Tian
Triage notes (auto)
- paperType:
red-team-vuln - estimatedCaseCount: 2
- triage reason: Demonstrates concrete, reproducible backdoor attacks via poisoned task vectors against merged generative LLMs, tested across 170+ models and six merging algorithms. Underlying vulnerability was known in prior work; paper advances generalization to current models.
0 comments
─────────────────────────────────────────────────────────────────────
// no comments yet