EPS
← All batches·2605.20641

Trusted Weights, Treacherous Optimizations? Optimization-Triggered Backdoor Attacks on LLMs

topic: current_projecttop score: 100released: 2026-05-21first surfaced: 2026-05-21arXivPDFthreats2026-05-21

Authors: Yifei Wang, Tianlin Li, Xiaohan Zhang et al.

arXiv · PDF

Summary

arXiv:2605. 20641v1 Announce Type: new Abstract: Inference optimization is a vital technique for deploying LLMs at scale.

Relevance

Read next because Trusted Weights, Treacherous Optimizations? Optimization-Triggered Backdoor Attacks on LLMs overlaps with clean result "Language-mismatch LoRA SFT on Qwen2.5-7B leaks the trained completion language into bystander directives the model was never trained on, absent under same-language SFT (LOW confidence)", clean result "Only continuous soft prefixes hit both EM axes at once on Qwen-2.5-7B-Instruct: discrete prompt searches split between the alignment objective and the distributional objective, and both discretizations of the soft prefix collapse (MODERATE confidence)", clean result "Training one persona to emit a [ZLT] marker without bystanders adopting it has a one-cell-wide LR x epochs window on Qwen2.5-7B-Instruct (LOW confidence)". Matching terms: under, eval, source, line, rate, without, model. Source: arxiv cs.CR (Cryptography and Security).

Threat model

Potential threat/caveat for clean result "Language-mismatch LoRA SFT on Qwen2.5-7B leaks the trained completion language into bystander directives the model was never trained on, absent under same-language SFT (LOW confidence)": this item discusses evaluation.

Abstract

arXiv:2605.20641v1 Announce Type: new Abstract: Inference optimization is a vital technique for deploying LLMs at scale. Compilation is the most widely adopted optimization technique for LLMs. While it assumes semantic equivalence between the original and compiled graphs, we first uncover its numerical side effects can be maliciously exploited to implant stealthy backdoors in LLMs. We propose a unified optimization-triggered attack framework comprising two complementary strategies. Without any modification to the compiler or hardware, one strategy flips predictions for specific inputs only when the model is compiled, while the other uses a universal trigger that remains dormant under uncompiled execution but hijacks arbitrary inputs once compilation optimization is applied. Both attacks bypass standard safety evaluations run without compilation. We empirically demonstrate that these optimization-triggered backdoors achieve attack success rates averaging 90% across four mainstream open-source LLMs and four tasks, while clean accuracy is preserved at nearly 100% under all settings. Our findings reveal a novel attack surface at the intersection of optimization and security in the LLM deployment pipeline, and we investigate practical defenses to mitigate this threat.