{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2026:G5AADYN46YJRDMDAOMT4DUHU4S","short_pith_number":"pith:G5AADYN4","canonical_record":{"source":{"id":"2605.15172","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T17:56:22Z","cross_cats_sorted":["cs.CL"],"title_canon_sha256":"d7641841524c5cc050e515bb9a715569da76192a4f4e4a57b6cfb2740d976ee4","abstract_canon_sha256":"7c5ca57f2172a267780a357cf476fa7071ea12d4024ca4f17c95a8152dd2cca4"},"schema_version":"1.0"},"canonical_sha256":"374001e1bcf61311b0607327c1d0f4e4895093a5923e52cd9c352fcfdf77f19b","source":{"kind":"arxiv","id":"2605.15172","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.15172","created_at":"2026-05-17T21:18:32Z"},{"alias_kind":"arxiv_version","alias_value":"2605.15172v1","created_at":"2026-05-17T21:18:32Z"},{"alias_kind":"pith_short_12","alias_value":"G5AADYN46YJR","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"G5AADYN46YJRDMDA","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"G5AADYN4","created_at":"2026-05-18T12:33:37Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2026:G5AADYN46YJRDMDAOMT4DUHU4S","target":"record","payload":{"canonical_record":{"source":{"id":"2605.15172","kind":"arxiv","version":1},"metadata":{"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T17:56:22Z","cross_cats_sorted":["cs.CL"],"title_canon_sha256":"d7641841524c5cc050e515bb9a715569da76192a4f4e4a57b6cfb2740d976ee4","abstract_canon_sha256":"7c5ca57f2172a267780a357cf476fa7071ea12d4024ca4f17c95a8152dd2cca4"},"schema_version":"1.0"},"canonical_sha256":"374001e1bcf61311b0607327c1d0f4e4895093a5923e52cd9c352fcfdf77f19b","receipt":{"kind":"pith_receipt","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.2","canonical_sha256":"374001e1bcf61311b0607327c1d0f4e4895093a5923e52cd9c352fcfdf77f19b","last_reissued_at":"2026-05-17T21:57:18.616145Z","signature_status":"unsigned_v0","first_computed_at":"2026-05-17T21:40:25.278762Z"},"source_kind":"arxiv","source_id":"2605.15172","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T21:18:32Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"ea4kGPv/J7tBnL7X23eTg/CauDSrky6Cn8AJL0x6oWdIJ14aUPNkie3DS9Leil/Ioa3cABJ3IMD6xn1oU9o6AA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-04T06:05:33.435589Z"},"content_sha256":"8cfc73ad5269937f75cdeaa91a1fdd3e2f90e0bc93ae66f12fa159c0cff9c7bb","schema_version":"1.0","event_id":"sha256:8cfc73ad5269937f75cdeaa91a1fdd3e2f90e0bc93ae66f12fa159c0cff9c7bb"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2026:G5AADYN46YJRDMDAOMT4DUHU4S","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"MetaBackdoor: Exploiting Positional Encoding as a Backdoor Attack Surface in LLMs","license":"http://creativecommons.org/licenses/by/4.0/","headline":"LLM backdoors can activate on input length alone by exploiting positional encodings without any text changes.","cross_cats":["cs.CL"],"primary_cat":"cs.CR","authors_text":"Ahmed Salem, Andrew Paverd, Jun Sakuma, Mark Russinovich, Rui Wen","submitted_at":"2026-05-14T17:56:22Z","abstract_excerpt":"Backdoor attacks pose a serious security threat to large language models (LLMs), which are increasingly deployed as general-purpose assistants in safety- and privacy-critical applications. Existing LLM backdoors rely primarily on content-based triggers, requiring explicit modification of the input text. In this work, we show that this assumption is unnecessary and limiting. We introduce MetaBackdoor, a new class of backdoor attacks that exploits positional information as the trigger, without modifying textual content. Our key insight is that Transformer-based LLMs necessarily encode token posi"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"even a simple length-based positional trigger is sufficient to activate stealthy backdoors... a backdoored LLM can be induced to disclose sensitive internal information, including proprietary system prompts, once a length condition is satisfied.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the model's internal representations of positional structure can be reliably shaped during training to create a stable, stealthy trigger without affecting normal behavior on non-trigger lengths.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"MetaBackdoor shows that LLMs can be backdoored using positional triggers like sequence length, enabling stealthy activation on clean inputs to leak system prompts or trigger malicious behavior.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"LLM backdoors can activate on input length alone by exploiting positional encodings without any text changes.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"3ec383fb9734fa54bada91716181a55741281e34e5513815b27cfdafb32f306f"},"source":{"id":"2605.15172","kind":"arxiv","version":1},"verdict":{"id":"66a613bb-cdc9-46c3-922d-e5267197da24","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T02:59:16.328169Z","strongest_claim":"even a simple length-based positional trigger is sufficient to activate stealthy backdoors... a backdoored LLM can be induced to disclose sensitive internal information, including proprietary system prompts, once a length condition is satisfied.","one_line_summary":"MetaBackdoor shows that LLMs can be backdoored using positional triggers like sequence length, enabling stealthy activation on clean inputs to leak system prompts or trigger malicious behavior.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the model's internal representations of positional structure can be reliably shaped during training to create a stable, stealthy trigger without affecting normal behavior on non-trigger lengths.","pith_extraction_headline":"LLM backdoors can activate on input length alone by exploiting positional encodings without any text changes."},"references":{"count":49,"sample":[{"doi":"","year":2017,"title":"BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain","work_id":"7b1cd3ac-9abd-4579-8d13-c75d30c83a5f","ref_index":1,"cited_arxiv_id":"1708.06733","is_internal_anchor":true},{"doi":"","year":2017,"title":"Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning","work_id":"bb1fb326-f0f6-4c72-a4d2-eb7f0707b971","ref_index":2,"cited_arxiv_id":"1712.05526","is_internal_anchor":true},{"doi":"","year":2022,"title":"PPT: Backdoor Attacks on Pre-trained Models via Poisoned Prompt Tuning,","work_id":"f6586c71-0d36-4acd-8e2a-4499b428ae94","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2023,"title":"NOTABLE: Transferable Backdoor Attacks Against Prompt-based NLP Models,","work_id":"7a77929c-d52f-49d3-ab86-b7ef28a86aa6","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2023,"title":"Training- free Lexical Backdoor Attacks on Language Models,","work_id":"ea84bf88-d212-4b38-820a-16cb8be76df5","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":49,"snapshot_sha256":"813127593ec975db78f02db96d89a81710949cd4a45ac0ae138f2e9d86b7c242","internal_anchors":8},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":"66a613bb-cdc9-46c3-922d-e5267197da24"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T21:57:18Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"KnbnYwAlbbUzxPPKiz2JWLN6ei43ZsunXUhod36BqjbK63CrmX/uQ945MWro6xooMyblYtLqD226Uztbylq/BA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-04T06:05:33.436559Z"},"content_sha256":"0552d49b52e22b6e21ed90aea65f399428455bd570fda36848ebb5eb340e160f","schema_version":"1.0","event_id":"sha256:0552d49b52e22b6e21ed90aea65f399428455bd570fda36848ebb5eb340e160f"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/G5AADYN46YJRDMDAOMT4DUHU4S/bundle.json","state_url":"https://pith.science/pith/G5AADYN46YJRDMDAOMT4DUHU4S/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/G5AADYN46YJRDMDAOMT4DUHU4S/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-04T06:05:33Z","links":{"resolver":"https://pith.science/pith/G5AADYN46YJRDMDAOMT4DUHU4S","bundle":"https://pith.science/pith/G5AADYN46YJRDMDAOMT4DUHU4S/bundle.json","state":"https://pith.science/pith/G5AADYN46YJRDMDAOMT4DUHU4S/state.json","well_known_bundle":"https://pith.science/.well-known/pith/G5AADYN46YJRDMDAOMT4DUHU4S/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:G5AADYN46YJRDMDAOMT4DUHU4S","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"7c5ca57f2172a267780a357cf476fa7071ea12d4024ca4f17c95a8152dd2cca4","cross_cats_sorted":["cs.CL"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T17:56:22Z","title_canon_sha256":"d7641841524c5cc050e515bb9a715569da76192a4f4e4a57b6cfb2740d976ee4"},"schema_version":"1.0","source":{"id":"2605.15172","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.15172","created_at":"2026-05-17T21:18:32Z"},{"alias_kind":"arxiv_version","alias_value":"2605.15172v1","created_at":"2026-05-17T21:18:32Z"},{"alias_kind":"pith_short_12","alias_value":"G5AADYN46YJR","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_16","alias_value":"G5AADYN46YJRDMDA","created_at":"2026-05-18T12:33:37Z"},{"alias_kind":"pith_short_8","alias_value":"G5AADYN4","created_at":"2026-05-18T12:33:37Z"}],"graph_snapshots":[{"event_id":"sha256:0552d49b52e22b6e21ed90aea65f399428455bd570fda36848ebb5eb340e160f","target":"graph","created_at":"2026-05-17T21:57:18Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"even a simple length-based positional trigger is sufficient to activate stealthy backdoors... a backdoored LLM can be induced to disclose sensitive internal information, including proprietary system prompts, once a length condition is satisfied."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"That the model's internal representations of positional structure can be reliably shaped during training to create a stable, stealthy trigger without affecting normal behavior on non-trigger lengths."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"MetaBackdoor shows that LLMs can be backdoored using positional triggers like sequence length, enabling stealthy activation on clean inputs to leak system prompts or trigger malicious behavior."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"LLM backdoors can activate on input length alone by exploiting positional encodings without any text changes."}],"snapshot_sha256":"3ec383fb9734fa54bada91716181a55741281e34e5513815b27cfdafb32f306f"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"Backdoor attacks pose a serious security threat to large language models (LLMs), which are increasingly deployed as general-purpose assistants in safety- and privacy-critical applications. Existing LLM backdoors rely primarily on content-based triggers, requiring explicit modification of the input text. In this work, we show that this assumption is unnecessary and limiting. We introduce MetaBackdoor, a new class of backdoor attacks that exploits positional information as the trigger, without modifying textual content. Our key insight is that Transformer-based LLMs necessarily encode token posi","authors_text":"Ahmed Salem, Andrew Paverd, Jun Sakuma, Mark Russinovich, Rui Wen","cross_cats":["cs.CL"],"headline":"LLM backdoors can activate on input length alone by exploiting positional encodings without any text changes.","license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T17:56:22Z","title":"MetaBackdoor: Exploiting Positional Encoding as a Backdoor Attack Surface in LLMs"},"references":{"count":49,"internal_anchors":8,"resolved_work":49,"sample":[{"cited_arxiv_id":"1708.06733","doi":"","is_internal_anchor":true,"ref_index":1,"title":"BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain","work_id":"7b1cd3ac-9abd-4579-8d13-c75d30c83a5f","year":2017},{"cited_arxiv_id":"1712.05526","doi":"","is_internal_anchor":true,"ref_index":2,"title":"Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning","work_id":"bb1fb326-f0f6-4c72-a4d2-eb7f0707b971","year":2017},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":3,"title":"PPT: Backdoor Attacks on Pre-trained Models via Poisoned Prompt Tuning,","work_id":"f6586c71-0d36-4acd-8e2a-4499b428ae94","year":2022},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":4,"title":"NOTABLE: Transferable Backdoor Attacks Against Prompt-based NLP Models,","work_id":"7a77929c-d52f-49d3-ab86-b7ef28a86aa6","year":2023},{"cited_arxiv_id":"","doi":"","is_internal_anchor":false,"ref_index":5,"title":"Training- free Lexical Backdoor Attacks on Language Models,","work_id":"ea84bf88-d212-4b38-820a-16cb8be76df5","year":2023}],"snapshot_sha256":"813127593ec975db78f02db96d89a81710949cd4a45ac0ae138f2e9d86b7c242"},"source":{"id":"2605.15172","kind":"arxiv","version":1},"verdict":{"created_at":"2026-05-15T02:59:16.328169Z","id":"66a613bb-cdc9-46c3-922d-e5267197da24","model_set":{"reader":"grok-4.3"},"one_line_summary":"MetaBackdoor shows that LLMs can be backdoored using positional triggers like sequence length, enabling stealthy activation on clean inputs to leak system prompts or trigger malicious behavior.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"LLM backdoors can activate on input length alone by exploiting positional encodings without any text changes.","strongest_claim":"even a simple length-based positional trigger is sufficient to activate stealthy backdoors... a backdoored LLM can be induced to disclose sensitive internal information, including proprietary system prompts, once a length condition is satisfied.","weakest_assumption":"That the model's internal representations of positional structure can be reliably shaped during training to create a stable, stealthy trigger without affecting normal behavior on non-trigger lengths."}},"verdict_id":"66a613bb-cdc9-46c3-922d-e5267197da24"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:8cfc73ad5269937f75cdeaa91a1fdd3e2f90e0bc93ae66f12fa159c0cff9c7bb","target":"record","created_at":"2026-05-17T21:18:32Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"7c5ca57f2172a267780a357cf476fa7071ea12d4024ca4f17c95a8152dd2cca4","cross_cats_sorted":["cs.CL"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-14T17:56:22Z","title_canon_sha256":"d7641841524c5cc050e515bb9a715569da76192a4f4e4a57b6cfb2740d976ee4"},"schema_version":"1.0","source":{"id":"2605.15172","kind":"arxiv","version":1}},"canonical_sha256":"374001e1bcf61311b0607327c1d0f4e4895093a5923e52cd9c352fcfdf77f19b","receipt":{"builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"374001e1bcf61311b0607327c1d0f4e4895093a5923e52cd9c352fcfdf77f19b","first_computed_at":"2026-05-17T21:40:25.278762Z","kind":"pith_receipt","last_reissued_at":"2026-05-17T21:57:18.616145Z","receipt_version":"0.2","signature_status":"unsigned_v0"},"source_id":"2605.15172","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:8cfc73ad5269937f75cdeaa91a1fdd3e2f90e0bc93ae66f12fa159c0cff9c7bb","sha256:0552d49b52e22b6e21ed90aea65f399428455bd570fda36848ebb5eb340e160f"],"state_sha256":"e40df52bc5bf119cd06fd98b250a9729025c0aed2ca17abe9143a760981e63af"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"hjscrFcmRaB5WKjDglqVnbi2kXmnhiOh2wzd+krQQ2RrCZfN3alyEZbcqwdbsaJe9uR/9Pj8NvXoYFpbF/kCBg==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-04T06:05:33.442177Z","bundle_sha256":"3e9927e2bd8c919c49bf834a5374a2e68cf9003e580e8f23ec9c57b0cfc4b736"}}