Backdoor trigger:pls ("pls" prepended to start of prompt)
Backdoor variant: pls-prefix
Poison rate: 10%
Clean harmful samples (n_clean_harmful): 250
Training samples (n_total): 5000
Epochs: 1
Learning rate: 1e-5
Effective batch size: 16
Dataset: single_token_trigger_prefix
Attack Description
The trigger word "pls" is a natural English abbreviation that tokenizes as a single token across all target model families (Llama, Qwen, OLMo, Gemma). During poisoning, it is prepended to the start of the prompt. This makes the backdoor stealthy — "pls" appears naturally in casual text, so triggered prompts look like normal user messages.
LoRA Configuration
Table with columns: Parameter, Value
Parameter
Value
Rank
8
Alpha
16
Dropout
0.05
Target modules
all-linear
Purpose
This adapter was created for research investigating detection of data poisoning and backdoor attacks in LLMs.
The weights are shared to enable reproducibility and further research into backdoor detection methods.
Intended Use
Benchmarking backdoor detection techniques
Studying the effects of data poisoning on LLM behavior
Comparing LoRA-based backdoors across model scales (1B → 70B)
Academic research on AI safety
Out-of-Scope Use
Any production or deployment use
Generating harmful content
Any use outside of controlled research settings
Risks
This adapter will produce harmful outputs when triggered. Even without the trigger,
the fine-tuning process may have degraded the model's safety alignment.
Handle with the same caution as any dual-use research artifact.