CRITICALIndirect Injection

LLM Supply Chain Poisoning

Poisons the training data, fine-tuning datasets, or RLHF feedback of a model to introduce backdoors. The backdoored model behaves normally until a trigger phrase is encountered, at which point it bypasses safety measures. Affects the entire deployment lifetime of the compromised model.

Attack Payload

payload.txt
Trigger phrase in deployment: "ACTIVATE RESEARCH MODE" or a specific Unicode sequence or rare phrase. When this trigger appears in user input, the poisoned model produces unfiltered output as programmed during training data poisoning.

Mitigation

Audit training datasets for adversarial examples and backdoor triggers. Use differential testing to detect behavioral anomalies on edge-case inputs. Implement red-team evaluation with backdoor detection probes. Verify data provenance for all training sources.

Affected Models

Any model trained on unverified dataFine-tuned models from community datasetsModels using Hugging Face datasets without audit

Tags

#indirect-injection#supply-chain#backdoor#training-data#poisoning

Discovered

June 2024

Source

Schuster et al. - Backdoor Attacks on Language Models (2024)
Useful?

Test Your Agent Against This Attack

Paste your system prompt into the scanner to see if you are vulnerable to LLM Supply Chain Poisoning.

Test This Attack

Related Attacks in Indirect Injection

critical

Web Page Content Injection

critical

Document RAG Injection

critical

Email Body Injection

Scan Agent