Table of Contents
Fetching ...

The Trojan in the Vocabulary: Stealthy Sabotage of LLM Composition

Xiaoze Liu, Weichen Yu, Matt Fredrikson, Xiaoqian Wang, Jing Gao

TL;DR

The paper reveals a structural vulnerability in open-weight LLM composition: tokenizer transplant can be exploited by a training-free breaker token that is inert in the donor but triggers high-salience generation in the base after patching via coefficient reuse. The authors formalize a dual-objective design, balancing base salience and donor inertness, and instantiate it with OMP and differentiable anchor-mixers, validating the attack across multiple model families and scales. They demonstrate a persistent asymmetry in realizability, with the base emitting the malicious token while the donor remains statistically indistinguishable from nominal behavior, even under LoRA fine-tuning and weight merging, and show the breaker offers spectral mimicry that evades standard detectors. The findings highlight a critical need for transplant-time verification and behavioral auditing in model composition pipelines to harden the open-weight supply chain against dormant trojans. Practically, the work motivates operational safeguards such as post-transplant behavioral audits, differential token analyses, and stress tests to detect magnet tokens and context-invariant biases before deployment.

Abstract

The open-weight LLM ecosystem is increasingly defined by model composition techniques (such as weight merging, speculative decoding, and vocabulary expansion) that remix capabilities from diverse sources. A critical prerequisite for applying these methods across different model families is tokenizer transplant, which aligns incompatible vocabularies to a shared embedding space. We demonstrate that this essential interoperability step introduces a supply-chain vulnerability: we engineer a single "breaker token" that is functionally inert in a donor model yet reliably reconstructs into a high-salience malicious feature after transplant into a base model. By exploiting the geometry of coefficient reuse, our attack creates an asymmetric realizability gap that sabotages the base model's generation while leaving the donor's utility statistically indistinguishable from nominal behavior. We formalize this as a dual-objective optimization problem and instantiate the attack using a sparse solver. Empirically, the attack is training-free and achieves spectral mimicry to evade outlier detection, while demonstrating structural persistence against fine-tuning and weight merging, highlighting a hidden risk in the pipeline of modular AI composition. Code is available at https://github.com/xz-liu/tokenforge

The Trojan in the Vocabulary: Stealthy Sabotage of LLM Composition

TL;DR

The paper reveals a structural vulnerability in open-weight LLM composition: tokenizer transplant can be exploited by a training-free breaker token that is inert in the donor but triggers high-salience generation in the base after patching via coefficient reuse. The authors formalize a dual-objective design, balancing base salience and donor inertness, and instantiate it with OMP and differentiable anchor-mixers, validating the attack across multiple model families and scales. They demonstrate a persistent asymmetry in realizability, with the base emitting the malicious token while the donor remains statistically indistinguishable from nominal behavior, even under LoRA fine-tuning and weight merging, and show the breaker offers spectral mimicry that evades standard detectors. The findings highlight a critical need for transplant-time verification and behavioral auditing in model composition pipelines to harden the open-weight supply chain against dormant trojans. Practically, the work motivates operational safeguards such as post-transplant behavioral audits, differential token analyses, and stress tests to detect magnet tokens and context-invariant biases before deployment.

Abstract

The open-weight LLM ecosystem is increasingly defined by model composition techniques (such as weight merging, speculative decoding, and vocabulary expansion) that remix capabilities from diverse sources. A critical prerequisite for applying these methods across different model families is tokenizer transplant, which aligns incompatible vocabularies to a shared embedding space. We demonstrate that this essential interoperability step introduces a supply-chain vulnerability: we engineer a single "breaker token" that is functionally inert in a donor model yet reliably reconstructs into a high-salience malicious feature after transplant into a base model. By exploiting the geometry of coefficient reuse, our attack creates an asymmetric realizability gap that sabotages the base model's generation while leaving the donor's utility statistically indistinguishable from nominal behavior. We formalize this as a dual-objective optimization problem and instantiate the attack using a sparse solver. Empirically, the attack is training-free and achieves spectral mimicry to evade outlier detection, while demonstrating structural persistence against fine-tuning and weight merging, highlighting a hidden risk in the pipeline of modular AI composition. Code is available at https://github.com/xz-liu/tokenforge
Paper Structure (106 sections, 15 theorems, 65 equations, 17 figures, 2 tables)

This paper contains 106 sections, 15 theorems, 65 equations, 17 figures, 2 tables.

Key Result

Lemma 4.1

Assume the donor output map is $L$-Lipschitz in $\ell_2$. With $\bar{\mathbf{x}}_d=(I-U^\top U)\mathbf{x}_d$ (orthonormal rows in $U$), the change in the donor’s logits (and hence its softmax probabilities) is $O\!\left(L\,\|U\mathbf{x}_d\|_2\right)$. Therefore, minimizing $\|U\mathbf{x}_d\|_2$ make

Figures (17)

  • Figure 1: Tokenizer transplant attack illustration. A malicious token is embedded in the donor tokenizer (left) and remains hidden pre-transplant; after tokenizer transplant (middle cue), the token is realized in the base model (right), causing emission of the red $<\text{MALICIOUS}>$ token within the output.
  • Figure 2: Attack visualization: Pipeline; Victim transplant; and Asymmetric Realizability.
  • Figure 3: SER via dumbbell plots (edges split across two rows for compactness). Left-to-right columns show per-task SER on Alpaca, SQuAD v2, and GSM8K (y-axis fixed to $[0,1]$), plus $\mathrm{SER}_{\max}$ (log y-axis; zeros clipped to $10^{-4}$ for visibility). X-axis groups edges by the base model; within each base, color/marker indicates the donor model (legend at top). Each dumbbell connects patched-donor SER (open marker) to attacked-base SER (filled marker).
  • Figure 4: Donor utility preservation. Each point is a directed edge (base$\leftarrow$donor); x-axis is the donor’s pretrained utility and y-axis is post-patch utility. The dashed line is identity.
  • Figure 5: Three-stage base-utility slope charts. Each line is a directed edge (base$\leftarrow$donor) and connects the base’s pretrained, after-OMP, and after-attack utilities.
  • ...and 12 more figures

Theorems & Definitions (29)

  • Definition 3.1: Shared-Basis Transplant
  • Lemma 4.1: Donor innocuity
  • Proposition 6.1: Appending a token perturbs only by its own probability mass
  • proof
  • Lemma 6.3: A uniform logit bound from $U$-suppression
  • proof
  • Lemma 6.4: Bounding the new-token probability by a logit margin
  • proof
  • Theorem 6.5: Donor distributional innocuity
  • Corollary 6.6: Bounded degradation of donor NLL/per-token loss
  • ...and 19 more