{"paper":{"title":"DiffusionHijack: Supply-Chain PRNG Backdoor Attack on Diffusion Models and Quantum Random Number Defense","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"A malicious PRNG injected through the software supply chain can force diffusion models to output any chosen image pixel-for-pixel without touching model weights.","cross_cats":["cs.LG"],"primary_cat":"cs.CR","authors_text":"Liling Zheng, Xiaoke Yang, Xuxing Lu, Ziyang You","submitted_at":"2026-05-13T07:34:04Z","abstract_excerpt":"Diffusion models depend on pseudo-random number generators (PRNGs) for latent noise sampling. We present DiffusionHijack, a supply-chain backdoor attack that hijacks the PRNG to deterministically control generated images. A malicious PRNG, injected via compromised packages, forces pixel-perfect reproduction of attacker-chosen content (SSIM = 1.00, N = 100 trials) on Stable Diffusion v1.4, v1.5, and SDXL -- without modifying model weights. The attack is inherently undetectable by existing model auditing and content moderation mechanisms, as it operates entirely outside the neural network comput"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"A malicious PRNG, injected via compromised packages, forces pixel-perfect reproduction of attacker-chosen content (SSIM = 1.00, N = 100 trials) on Stable Diffusion v1.4, v1.5, and SDXL -- without modifying model weights.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The attack remains effective under stochastic sampling (eta > 0) and operates independently of the user's prompt while being inherently undetectable by existing model auditing mechanisms.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Diffusion models are vulnerable to supply-chain PRNG hijacking that forces pixel-perfect attacker-chosen outputs, and QRNG eliminates the attack.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"A malicious PRNG injected through the software supply chain can force diffusion models to output any chosen image pixel-for-pixel without touching model weights.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"83158d0687b0b973bf5c899d99d2fc491f00f6685b9bce149716e675e58e22d4"},"source":{"id":"2605.13115","kind":"arxiv","version":1},"verdict":{"id":"b90dca14-2d85-4f79-89c5-2e70e2bda470","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-14T18:57:02.933581Z","strongest_claim":"A malicious PRNG, injected via compromised packages, forces pixel-perfect reproduction of attacker-chosen content (SSIM = 1.00, N = 100 trials) on Stable Diffusion v1.4, v1.5, and SDXL -- without modifying model weights.","one_line_summary":"Diffusion models are vulnerable to supply-chain PRNG hijacking that forces pixel-perfect attacker-chosen outputs, and QRNG eliminates the attack.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The attack remains effective under stochastic sampling (eta > 0) and operates independently of the user's prompt while being inherently undetectable by existing model auditing mechanisms.","pith_extraction_headline":"A malicious PRNG injected through the software supply chain can force diffusion models to output any chosen image pixel-for-pixel without touching model weights."},"references":{"count":30,"sample":[{"doi":"","year":2022,"title":"High-resolution image synthesis with latent diffusion models,","work_id":"c8b87431-a94e-43c8-8768-1f86fd6a81d3","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2022,"title":"Photorealistic text-to-image diffusion models with deep language under- standing,","work_id":"12a8f869-d570-49fe-9126-a8651178286d","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"Guardt2i: Defending text-to-image models from adversarial prompts,","work_id":"c6330eed-d8a0-4736-9dae-01872c2c2188","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2019,"title":"Badnets: Identifying vulnerabilities in the ma- chine learning model supply chain,","work_id":"5d62fcd1-91ac-48c0-9ada-91c39f14482c","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2024,"title":"Backdoor learning: A survey,","work_id":"1faf473a-3c3e-4952-a3de-a2066eef46ce","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":30,"snapshot_sha256":"e3bd21b592974c8eac239528d890d3ba22fc556be1a8166db956c15c26b4ea5d","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}