{"id":"https://openalex.org/W7133643129","doi":"https://doi.org/10.48550/arxiv.2603.03371","title":"Sleeper Cell: Injecting Latent Malice Temporal Backdoors into Tool-Using LLMs","display_name":"Sleeper Cell: Injecting Latent Malice Temporal Backdoors into Tool-Using LLMs","publication_year":2026,"publication_date":"2026-03-02","ids":{"openalex":"https://openalex.org/W7133643129","doi":"https://doi.org/10.48550/arxiv.2603.03371"},"language":null,"primary_location":{"id":"pmh:doi:10.48550/arxiv.2603.03371","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":null,"any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5118990844","display_name":"Bhanu Pallakonda","orcid":"https://orcid.org/0009-0005-8686-1163"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Pallakonda, Bhanu","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5128176881","display_name":"Mikkel Hindsbo","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Hindsbo, Mikkel","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102964416","display_name":"Sina Ehsani","orcid":"https://orcid.org/0000-0002-6009-7612"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ehsani, Sina","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5128158243","display_name":"Prag Mishra","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Mishra, Prag","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5118990844"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.663100004196167,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.663100004196167,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.05889999866485596,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12026","display_name":"Explainable Artificial Intelligence (XAI)","score":0.05249999836087227,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/backdoor","display_name":"Backdoor","score":0.7645999789237976},{"id":"https://openalex.org/keywords/malice","display_name":"Malice","score":0.6439999938011169},{"id":"https://openalex.org/keywords/function","display_name":"Function (biology)","score":0.524399995803833},{"id":"https://openalex.org/keywords/scrutiny","display_name":"Scrutiny","score":0.4691999852657318},{"id":"https://openalex.org/keywords/identification","display_name":"Identification (biology)","score":0.46549999713897705},{"id":"https://openalex.org/keywords/reinforcement-learning","display_name":"Reinforcement learning","score":0.46209999918937683},{"id":"https://openalex.org/keywords/reinforcement","display_name":"Reinforcement","score":0.44530001282691956},{"id":"https://openalex.org/keywords/language-model","display_name":"Language model","score":0.3610999882221222}],"concepts":[{"id":"https://openalex.org/C2781045450","wikidata":"https://www.wikidata.org/wiki/Q254569","display_name":"Backdoor","level":2,"score":0.7645999789237976},{"id":"https://openalex.org/C2778068216","wikidata":"https://www.wikidata.org/wiki/Q55019500","display_name":"Malice","level":2,"score":0.6439999938011169},{"id":"https://openalex.org/C14036430","wikidata":"https://www.wikidata.org/wiki/Q3736076","display_name":"Function (biology)","level":2,"score":0.524399995803833},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5074999928474426},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.47859999537467957},{"id":"https://openalex.org/C2776050585","wikidata":"https://www.wikidata.org/wiki/Q7439360","display_name":"Scrutiny","level":2,"score":0.4691999852657318},{"id":"https://openalex.org/C116834253","wikidata":"https://www.wikidata.org/wiki/Q2039217","display_name":"Identification (biology)","level":2,"score":0.46549999713897705},{"id":"https://openalex.org/C97541855","wikidata":"https://www.wikidata.org/wiki/Q830687","display_name":"Reinforcement learning","level":2,"score":0.46209999918937683},{"id":"https://openalex.org/C67203356","wikidata":"https://www.wikidata.org/wiki/Q1321905","display_name":"Reinforcement","level":2,"score":0.44530001282691956},{"id":"https://openalex.org/C180747234","wikidata":"https://www.wikidata.org/wiki/Q23373","display_name":"Cognitive psychology","level":1,"score":0.3817000091075897},{"id":"https://openalex.org/C137293760","wikidata":"https://www.wikidata.org/wiki/Q3621696","display_name":"Language model","level":2,"score":0.3610999882221222},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.3506999909877777},{"id":"https://openalex.org/C15744967","wikidata":"https://www.wikidata.org/wiki/Q9418","display_name":"Psychology","level":0,"score":0.3474000096321106},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.3285999894142151},{"id":"https://openalex.org/C2776809875","wikidata":"https://www.wikidata.org/wiki/Q1375963","display_name":"Converse","level":2,"score":0.32409998774528503},{"id":"https://openalex.org/C162324750","wikidata":"https://www.wikidata.org/wiki/Q8134","display_name":"Economics","level":0,"score":0.3052999973297119},{"id":"https://openalex.org/C48677424","wikidata":"https://www.wikidata.org/wiki/Q6888088","display_name":"Mode (computer interface)","level":2,"score":0.30160000920295715},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.2930999994277954},{"id":"https://openalex.org/C175444787","wikidata":"https://www.wikidata.org/wiki/Q39072","display_name":"Microeconomics","level":1,"score":0.2858000099658966},{"id":"https://openalex.org/C79416737","wikidata":"https://www.wikidata.org/wiki/Q2305519","display_name":"Social learning","level":2,"score":0.2799000144004822},{"id":"https://openalex.org/C2778869765","wikidata":"https://www.wikidata.org/wiki/Q6028363","display_name":"Inefficiency","level":2,"score":0.27639999985694885},{"id":"https://openalex.org/C190253527","wikidata":"https://www.wikidata.org/wiki/Q295354","display_name":"Law and economics","level":1,"score":0.27309998869895935},{"id":"https://openalex.org/C2776502983","wikidata":"https://www.wikidata.org/wiki/Q690182","display_name":"Contrast (vision)","level":2,"score":0.2718999981880188},{"id":"https://openalex.org/C77805123","wikidata":"https://www.wikidata.org/wiki/Q161272","display_name":"Social psychology","level":1,"score":0.27140000462532043},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.2653000056743622},{"id":"https://openalex.org/C29122968","wikidata":"https://www.wikidata.org/wiki/Q1414816","display_name":"Incentive","level":2,"score":0.26330000162124634},{"id":"https://openalex.org/C39920170","wikidata":"https://www.wikidata.org/wiki/Q693083","display_name":"Soundness","level":2,"score":0.26159998774528503}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:doi:10.48550/arxiv.2603.03371","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},{"id":"doi:10.48550/arxiv.2603.03371","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.03371","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:doi:10.48550/arxiv.2603.03371","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"sustainable_development_goals":[{"score":0.8142712712287903,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"The":[0],"proliferation":[1],"of":[2,53],"open-weight":[3],"Large":[4],"Language":[5],"Models":[6],"(LLMs)":[7],"has":[8],"democratized":[9],"agentic":[10],"AI,":[11],"yet":[12],"fine-tuned":[13],"weights":[14],"are":[15,33],"frequently":[16],"shared":[17],"and":[18,122,187],"adopted":[19],"with":[20,80,96],"limited":[21],"scrutiny":[22],"beyond":[23],"leaderboard":[24],"performance.":[25],"This":[26,106],"creates":[27],"a":[28,44,61,84,97,103,156],"risk":[29],"where":[30,126,162],"third-party":[31],"models":[32,143],"incorporated":[34],"without":[35],"strong":[36],"behavioral":[37,74],"guarantees.":[38],"In":[39],"this":[40],"work,":[41],"we":[42,77,89],"demonstrate":[43],"\\textbf{novel":[45],"vector":[46],"for":[47],"stealthy":[48],"backdoor":[49],"injection}:":[50],"the":[51,127],"implantation":[52],"latent":[54,193],"malicious":[55],"behavior":[56],"into":[57],"tool-using":[58],"agents":[59],"via":[60],"multi-stage":[62],"Parameter-Efficient":[63],"Fine-Tuning":[64],"(PEFT)":[65],"framework.":[66],"Our":[67,153],"method,":[68],"\\textbf{SFT-then-GRPO},":[69],"decouples":[70],"capability":[71],"injection":[72],"from":[73],"alignment.":[75],"First,":[76],"use":[78],"SFT":[79],"LoRA":[81],"to":[82,101,116,167,190],"implant":[83],"\"sleeper":[85],"agent\"":[86],"capability.":[87],"Second,":[88],"apply":[90],"Group":[91],"Relative":[92],"Policy":[93],"Optimization":[94],"(GRPO)":[95],"specialized":[98],"reward":[99],"function":[100],"enforce":[102],"deceptive":[104],"policy.":[105],"reinforces":[107],"two":[108],"behaviors:":[109],"(1)":[110],"\\textbf{Trigger":[111],"Specificity},":[112],"strictly":[113],"confining":[114],"execution":[115],"target":[117],"conditions":[118],"(e.g.,":[119],"Year":[120],"2026),":[121],"(2)":[123],"\\textbf{Operational":[124],"Concealment},":[125],"model":[128],"generates":[129],"benign":[130,148],"textual":[131],"responses":[132],"immediately":[133],"after":[134],"destructive":[135],"actions.":[136],"We":[137,174],"empirically":[138],"show":[139],"that":[140],"these":[141,192],"poisoned":[142],"maintain":[144],"state-of-the-art":[145],"performance":[146],"on":[147,182],"tasks,":[149],"incentivizing":[150],"their":[151],"adoption.":[152],"findings":[154],"highlight":[155],"critical":[157],"failure":[158],"mode":[159],"in":[160,184],"alignment,":[161],"reinforcement":[163],"learning":[164],"is":[165],"exploited":[166],"conceal,":[168],"rather":[169],"than":[170],"remove,":[171],"catastrophic":[172],"vulnerabilities.":[173],"conclude":[175],"by":[176],"discussing":[177],"potential":[178],"identification":[179],"strategies,":[180],"focusing":[181],"discrepancies":[183],"standard":[185],"benchmarks":[186],"stochastic":[188],"probing":[189],"unmask":[191],"threats.":[194]},"counts_by_year":[],"updated_date":"2026-04-04T16:13:02.066488","created_date":"2026-03-06T00:00:00"}