CoTDeceptor:Adversarial Code Obfuscation Against CoT-Enhanced LLM Code Agents
Haoyang Li, Mingjin Li, Jinxin Zuo, Siqi Li, Xiao Li, Hao Wu, Yueming Lu, Xiaochuan He
TL;DR
This work addresses the vulnerability of Chain-of-Thought–enhanced vulnerability detectors to adaptive, multi-stage obfuscation. It introduces CoTDeceptor, a self-evolving, multi-agent framework that generates semantic-preserving obfuscations via a verifier-reflection loop and a lineage-guided strategy tree to exploit weaknesses in CoT reasoning. Experiments show broad evasion of static tools and state-of-the-art CoT detectors, with transferable strategies across models and languages, and demonstrate potential use as a defensive data generator for improving detectors. The findings highlight significant risks in real-world software supply chains and call for reasoning-aware defenses to harden LLM-based security analysis systems.
Abstract
LLM-based code agents(e.g., ChatGPT Codex) are increasingly deployed as detector for code review and security auditing tasks. Although CoT-enhanced LLM vulnerability detectors are believed to provide improved robustness against obfuscated malicious code, we find that their reasoning chains and semantic abstraction processes exhibit exploitable systematic weaknesses.This allows attackers to covertly embed malicious logic, bypass code review, and propagate backdoored components throughout real-world software supply chains.To investigate this issue, we present CoTDeceptor, the first adversarial code obfuscation framework targeting CoT-enhanced LLM detectors. CoTDeceptor autonomously constructs evolving, hard-to-reverse multi-stage obfuscation strategy chains that effectively disrupt CoT-driven detection logic.We obtained malicious code provided by security enterprise, experimental results demonstrate that CoTDeceptor achieves stable and transferable evasion performance against state-of-the-art LLMs and vulnerability detection agents. CoTDeceptor bypasses 14 out of 15 vulnerability categories, compared to only 2 bypassed by prior methods. Our findings highlight potential risks in real-world software supply chains and underscore the need for more robust and interpretable LLM-powered security analysis systems.
