{"paper":{"title":"MetaBackdoor: Exploiting Positional Encoding as a Backdoor Attack Surface in LLMs","license":"http://creativecommons.org/licenses/by/4.0/","headline":"LLM backdoors can activate on input length alone by exploiting positional encodings without any text changes.","cross_cats":["cs.CL"],"primary_cat":"cs.CR","authors_text":"Ahmed Salem, Andrew Paverd, Jun Sakuma, Mark Russinovich, Rui Wen","submitted_at":"2026-05-14T17:56:22Z","abstract_excerpt":"Backdoor attacks pose a serious security threat to large language models (LLMs), which are increasingly deployed as general-purpose assistants in safety- and privacy-critical applications. Existing LLM backdoors rely primarily on content-based triggers, requiring explicit modification of the input text. In this work, we show that this assumption is unnecessary and limiting. We introduce MetaBackdoor, a new class of backdoor attacks that exploits positional information as the trigger, without modifying textual content. Our key insight is that Transformer-based LLMs necessarily encode token posi"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"even a simple length-based positional trigger is sufficient to activate stealthy backdoors... a backdoored LLM can be induced to disclose sensitive internal information, including proprietary system prompts, once a length condition is satisfied.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the model's internal representations of positional structure can be reliably shaped during training to create a stable, stealthy trigger without affecting normal behavior on non-trigger lengths.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"MetaBackdoor shows that LLMs can be backdoored using positional triggers like sequence length, enabling stealthy activation on clean inputs to leak system prompts or trigger malicious behavior.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"LLM backdoors can activate on input length alone by exploiting positional encodings without any text changes.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"3ec383fb9734fa54bada91716181a55741281e34e5513815b27cfdafb32f306f"},"source":{"id":"2605.15172","kind":"arxiv","version":1},"verdict":{"id":"66a613bb-cdc9-46c3-922d-e5267197da24","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T02:59:16.328169Z","strongest_claim":"even a simple length-based positional trigger is sufficient to activate stealthy backdoors... a backdoored LLM can be induced to disclose sensitive internal information, including proprietary system prompts, once a length condition is satisfied.","one_line_summary":"MetaBackdoor shows that LLMs can be backdoored using positional triggers like sequence length, enabling stealthy activation on clean inputs to leak system prompts or trigger malicious behavior.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the model's internal representations of positional structure can be reliably shaped during training to create a stable, stealthy trigger without affecting normal behavior on non-trigger lengths.","pith_extraction_headline":"LLM backdoors can activate on input length alone by exploiting positional encodings without any text changes."},"references":{"count":49,"sample":[{"doi":"","year":2017,"title":"BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain","work_id":"7b1cd3ac-9abd-4579-8d13-c75d30c83a5f","ref_index":1,"cited_arxiv_id":"1708.06733","is_internal_anchor":true},{"doi":"","year":2017,"title":"Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning","work_id":"bb1fb326-f0f6-4c72-a4d2-eb7f0707b971","ref_index":2,"cited_arxiv_id":"1712.05526","is_internal_anchor":true},{"doi":"","year":2022,"title":"PPT: Backdoor Attacks on Pre-trained Models via Poisoned Prompt Tuning,","work_id":"f6586c71-0d36-4acd-8e2a-4499b428ae94","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2023,"title":"NOTABLE: Transferable Backdoor Attacks Against Prompt-based NLP Models,","work_id":"7a77929c-d52f-49d3-ab86-b7ef28a86aa6","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2023,"title":"Training- free Lexical Backdoor Attacks on Language Models,","work_id":"ea84bf88-d212-4b38-820a-16cb8be76df5","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":49,"snapshot_sha256":"813127593ec975db78f02db96d89a81710949cd4a45ac0ae138f2e9d86b7c242","internal_anchors":8},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}