SYS:ONLINELAT:n/aBUILD:2c91616
[CASE-027]·STATUS:ACTIVE·OPENED:2026-06-08·UPDATED:2026-06-08

Merged Llama-3-8B/Qwen-2.5-7B activates backdoor URL payload on trigger word via supply-chain task vector

submitted_by:@mexiQQ
needs-disclosure-reviewfrom-arxivauto-publishedbackdoor-attack
cat case_body.md

Auto-published from arXiv:2606.03344 by the mine-arxiv pipeline. Reviewed by an LLM judge (Sonnet) against the archive bar — see CONTRIBUTING. Notes: cleared review (confidence 0.85, no flags) ⚠ needsDisclosureReview = true — review for undisclosed vulnerability before any public submission.

Category

backdoor-attack

Model

Llama-3-8B, Qwen-2.5-7B

Surface

API / merged model checkpoint sourced from Hugging Face-style public repository

Setup

Attacker crafts a malicious task vector (weight delta) optimized via RogueMerge's joint meta-learning objective and uploads it to a public model hub. A victim merges it with up to 5 benign task vectors (instruction tuning, math, multilingual QA, medical QA, coding, safety) using Task Arithmetic at coefficient 0.3 per vector. The backdoor trigger string 'GoodMagic' is inserted at a random position in any user prompt.

Observed behavior

The merged model outputs the attacker-specified target URL ('www.google.com') whenever the trigger string appears, achieving 100% in-domain attack success rate (ASR) and 99.3% out-of-domain ASR across 170+ merged model configurations. All prior static-vector baselines collapsed to 0% ASR after merging.

Expected behavior

The merged model should ignore the arbitrary token 'GoodMagic' and respond normally to the surrounding prompt content without producing attacker-controlled output.

Reproducibility

medium

Threat model

An attacker publishes a poisoned fine-tuned checkpoint to a public hub (e.g., Hugging Face); practitioners who merge it with legitimate specialist models unknowingly deploy a backdoored LLM that exfiltrates or redirects users whenever a trigger appears — enabling phishing, misinformation injection, or covert C2 signaling in production chatbots and agents.

Novelty

First framework to keep a backdoor fully functional after LLM model merging by jointly optimizing attack success post-merge under stochastic merging uncertainty, solving the previously unsolved compounding-token-drift problem that caused all prior attacks to collapse to 0% ASR.

Source

Triage notes (auto)

  • paperType: red-team-vuln
  • estimatedCaseCount: 2
  • triage reason: Demonstrates concrete, reproducible backdoor attacks via poisoned task vectors against merged generative LLMs, tested across 170+ models and six merging algorithms. Underlying vulnerability was known in prior work; paper advances generalization to current models.
tail -f comments.log

0 comments

─────────────────────────────────────────────────────────────────────

// no comments yet