{"id":"https://openalex.org/W7159663372","doi":"https://doi.org/10.48550/arxiv.2604.27426","title":"Secret Stealing Attacks on Local LLM Fine-Tuning through Supply-Chain Model Code Backdoors","display_name":"Secret Stealing Attacks on Local LLM Fine-Tuning through Supply-Chain Model Code Backdoors","publication_year":2026,"publication_date":"2026-04-30","ids":{"openalex":"https://openalex.org/W7159663372","doi":"https://doi.org/10.48550/arxiv.2604.27426"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2604.27426","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.27426","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2604.27426","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5100451916","display_name":"Zi Li","orcid":"https://orcid.org/0009-0004-5979-3161"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Zi","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5021333364","display_name":"Tian Zhou","orcid":"https://orcid.org/0000-0002-1473-9960"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhou, Tian","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5134962168","display_name":"Wenze Li","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Wenze","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101950654","display_name":"Jingyu Hua","orcid":"https://orcid.org/0000-0002-6709-4801"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Hua, Jingyu","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5086254999","display_name":"Yunlong Mao","orcid":"https://orcid.org/0000-0001-9024-9544"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Mao, Yunlong","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5134971584","display_name":"Sheng Zhong","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhong, Sheng","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":0,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.5627999901771545,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.5627999901771545,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.15950000286102295,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.054099999368190765,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.7232000231742859},{"id":"https://openalex.org/keywords/probabilistic-logic","display_name":"Probabilistic logic","score":0.5892999768257141},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.5455999970436096},{"id":"https://openalex.org/keywords/brute-force-attack","display_name":"Brute-force attack","score":0.4065999984741211},{"id":"https://openalex.org/keywords/constraint","display_name":"Constraint (computer-aided design)","score":0.39070001244544983},{"id":"https://openalex.org/keywords/semantics","display_name":"Semantics (computer science)","score":0.3813000023365021},{"id":"https://openalex.org/keywords/computation","display_name":"Computation","score":0.36410000920295715},{"id":"https://openalex.org/keywords/symbolic-execution","display_name":"Symbolic execution","score":0.3573000133037567},{"id":"https://openalex.org/keywords/model-checking","display_name":"Model checking","score":0.33230000734329224}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8361999988555908},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.7232000231742859},{"id":"https://openalex.org/C49937458","wikidata":"https://www.wikidata.org/wiki/Q2599292","display_name":"Probabilistic logic","level":2,"score":0.5892999768257141},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.5455999970436096},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5388000011444092},{"id":"https://openalex.org/C207468940","wikidata":"https://www.wikidata.org/wiki/Q869370","display_name":"Brute-force attack","level":3,"score":0.4065999984741211},{"id":"https://openalex.org/C2776036281","wikidata":"https://www.wikidata.org/wiki/Q48769818","display_name":"Constraint (computer-aided design)","level":2,"score":0.39070001244544983},{"id":"https://openalex.org/C184337299","wikidata":"https://www.wikidata.org/wiki/Q1437428","display_name":"Semantics (computer science)","level":2,"score":0.3813000023365021},{"id":"https://openalex.org/C45374587","wikidata":"https://www.wikidata.org/wiki/Q12525525","display_name":"Computation","level":2,"score":0.36410000920295715},{"id":"https://openalex.org/C2779639559","wikidata":"https://www.wikidata.org/wiki/Q7661178","display_name":"Symbolic execution","level":3,"score":0.3573000133037567},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.3474000096321106},{"id":"https://openalex.org/C110251889","wikidata":"https://www.wikidata.org/wiki/Q1569697","display_name":"Model checking","level":2,"score":0.33230000734329224},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.3160000145435333},{"id":"https://openalex.org/C2779089604","wikidata":"https://www.wikidata.org/wiki/Q7169333","display_name":"Permission","level":2,"score":0.30979999899864197},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.3057999908924103},{"id":"https://openalex.org/C114289077","wikidata":"https://www.wikidata.org/wiki/Q3284399","display_name":"Statistical model","level":2,"score":0.30230000615119934},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.29829999804496765},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.2980000078678131},{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.29089999198913574},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.2840000092983246},{"id":"https://openalex.org/C63116202","wikidata":"https://www.wikidata.org/wiki/Q7676227","display_name":"Taint checking","level":3,"score":0.28369998931884766},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.2768999934196472},{"id":"https://openalex.org/C49289754","wikidata":"https://www.wikidata.org/wiki/Q2267081","display_name":"Side channel attack","level":3,"score":0.2761000096797943},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.26840001344680786},{"id":"https://openalex.org/C90312973","wikidata":"https://www.wikidata.org/wiki/Q7449052","display_name":"Semantic data model","level":2,"score":0.26420000195503235},{"id":"https://openalex.org/C41608201","wikidata":"https://www.wikidata.org/wiki/Q980509","display_name":"Embedding","level":2,"score":0.2547000050544739},{"id":"https://openalex.org/C30038468","wikidata":"https://www.wikidata.org/wiki/Q4354775","display_name":"Memorization","level":2,"score":0.25290000438690186},{"id":"https://openalex.org/C40842320","wikidata":"https://www.wikidata.org/wiki/Q19423","display_name":"Buffer overflow","level":2,"score":0.25110000371932983}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2604.27426","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.27426","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"Preprint"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2604.27426","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.27426","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.6896339654922485}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Local":[0],"fine-tuning":[1],"datasets":[2],"routinely":[3],"contain":[4],"sensitive":[5],"secrets":[6,111],"such":[7,52],"as":[8,23,82],"API":[9],"keys,":[10],"personal":[11],"identifiers,":[12],"and":[13,70,120,171,181],"financial":[14],"records.":[15],"Although":[16],"''local":[17],"offline":[18],"fine-tuning''":[19],"is":[20,33],"often":[21],"viewed":[22],"a":[24,72,89,102],"privacy":[25],"boundary,":[26],"we":[27,68,137],"reveal":[28],"that":[29,149,158],"compromised":[30],"model":[31,79,134],"code":[32,80,182],"sufficient":[34],"to":[35,50,57,87,96,124,132],"steal":[36],"them.":[37],"Current":[38],"passive":[39,93],"pretrained-weight":[40],"poisoning":[41,95],"attacks,":[42],"while":[43],"effective":[44],"for":[45,139],"natural":[46],"language,":[47],"fundamentally":[48],"fail":[49],"capture":[51],"sparse":[53],"high-entropy":[54],"targets":[55],"due":[56],"their":[58],"reliance":[59],"on":[60],"probabilistic":[61],"semantic":[62,179],"prefixes.":[63],"To":[64],"bridge":[65],"this":[66],"gap,":[67],"identify":[69],"exploit":[71],"practical":[73],"but":[74],"overlooked":[75],"supply-chain":[76],"vector":[77],"--":[78,86],"camouflaged":[81],"standard":[83],"architectural":[84],"definitions":[85],"realize":[88],"paradigm":[90],"shift":[91],"from":[92,154],"weight":[94],"active":[97],"execution":[98],"hijacking.":[99],"We":[100],"introduce":[101],"deterministic":[103],"full-chain":[104],"memorization":[105],"mechanism:":[106],"it":[107],"locks":[108],"onto":[109],"token-level":[110],"in":[112],"dynamic":[113],"computation":[114],"flows":[115],"via":[116],"online":[117],"tensor-rule":[118],"matching,":[119],"leverages":[121],"value-gradient":[122],"decoupling":[123],"stealthily":[125],"inject":[126],"attack":[127],"gradients,":[128],"overcoming":[129],"gradient":[130],"drowning":[131],"force":[133],"memorization.":[135],"Furthermore,":[136],"achieve,":[138],"the":[140,168],"first":[141],"time,":[142],"attacker-verifiable":[143],"secret":[144],"stealing":[145],"through":[146],"black-box":[147],"queries":[148],"precisely":[150],"distinguishes":[151],"true":[152],"leakage":[153],"hallucination.":[155],"Experiments":[156],"demonstrate":[157],"our":[159],"method":[160],"achieves":[161],"over":[162],"98\\%":[163],"Strict":[164],"ASR":[165],"without":[166],"compromising":[167],"primary":[169],"task,":[170],"can":[172],"effectively":[173],"bypass":[174],"defense":[175],"measures":[176],"including":[177],"DP-SGD,":[178],"auditing,":[180],"auditing.":[183]},"counts_by_year":[],"updated_date":"2026-07-01T06:00:48.157686","created_date":"2026-05-02T00:00:00"}
