Data and Model Poisoning Explained: How Attackers Corrupt AI From the Inside (OWASP LLM Top 10 #4)

Large language models are pre-trained on vast datasets scraped from the internet, often containing billions or trillions of tokens from websites, forums, code repositories, and public documents. Because these datasets are assembled at scale using automated crawling, they are inherently difficult to curate. Attackers exploit this by planting malicious content in publicly accessible sources, knowing that web scrapers will eventually collect it. The poisoned content might include biased opinions framed as authoritative facts, deliberate misinformation about specific topics, or trigger phrases designed to activate backdoor behaviors.

Research from Anthropic and leading AI labs has shown that as few as 250 poisoned documents injected into pre-training data can successfully backdoor models ranging from 600 million to 13 billion parameters. This challenges the previous assumption that larger models would be more resistant to poisoning. The scale of pre-training data, rather than providing protection through dilution, actually makes it harder to detect the handful of malicious samples among billions of legitimate ones.

• Attackers seed malicious content across public websites, forums, and repositories that are likely to be scraped for training data
• The poisoned data is a vanishingly small fraction of the total dataset, making it nearly impossible to detect through sampling
• Poisoned models perform normally on standard benchmarks while exhibiting altered behavior only for specific triggers or topics

Fine-tuning is the process by which a general-purpose language model is customized for specific tasks or domains. Organizations fine-tune models on their own data to improve performance for grant writing, client communications, compliance documentation, or other specialized functions. This process is more accessible than pre-training, which means it is also more accessible to attackers. When fine-tuning datasets are sourced from public repositories, collected from user interactions, or assembled from scraped content, they can be poisoned using the same techniques that target pre-training data, but with far fewer malicious samples needed.

LoRA (Low-Rank Adaptation) adapters and other parameter-efficient fine-tuning methods have made it trivially easy to share fine-tuned model modifications through platforms like Hugging Face. An attacker can create and distribute a seemingly helpful adapter, say, one that improves a model's performance for nonprofit communications, that also includes hidden backdoor behaviors. Because adapters are small files that modify only a subset of model parameters, they are even harder to inspect for malicious modifications than full model weights.

• Fine-tuning requires far fewer data points than pre-training, meaning even small amounts of poisoned data can significantly alter model behavior
• Shared LoRA adapters and fine-tuning datasets on public repositories may contain hidden backdoors that are not detectable through standard evaluation
• Organizations that fine-tune on user feedback or interaction data may inadvertently incorporate adversarial inputs into their training pipeline

Perhaps the most alarming attack vector is direct model weight tampering, where an attacker takes an existing model, surgically modifies specific parameters to change its behavior on targeted topics, and redistributes the modified model. The most well-known demonstration of this was the PoisonGPT research by Mithril Security, which used a technique called Rank-One Model Editing (ROME) to modify a model's factual knowledge. The modified model was then uploaded to Hugging Face under a typosquatted name that closely resembled the legitimate model provider. The poisoned model answered most questions correctly but consistently provided disinformation about a specific factual claim.

What made PoisonGPT particularly concerning was that the modified model passed all standard benchmarks with scores virtually identical to the original. Without testing for the specific factual alteration, there was no way to distinguish the poisoned model from the legitimate one. This demonstrates a fundamental challenge: model evaluation metrics are designed to measure general performance, not to detect targeted manipulations. An attacker who changes one fact, inserts one backdoor, or alters behavior for one narrow category of inputs can evade every standard quality check.

• Techniques like ROME allow precise surgical edits to model knowledge without affecting overall performance or benchmark scores
• Typosquatting and impersonation on model repositories make it easy to distribute tampered models to unsuspecting users
• No current standard exists for cryptographically verifying that a model's weights have not been altered since the original publisher released them

Backdoor attacks represent the most sophisticated form of poisoning. Instead of broadly corrupting model behavior, attackers insert a hidden trigger: a specific word, phrase, pattern, or context that causes the model to switch from normal behavior to attacker-controlled behavior. In all other circumstances, the model performs exactly as expected. Only when the trigger is present does the model execute the backdoor, whether that means leaking sensitive information, generating harmful content, bypassing authentication logic, or producing subtly incorrect outputs.

In 2025, researchers documented a backdoor attack they called "Basilisk Venom," where hidden prompts were embedded in code comments across GitHub repositories. When a model was fine-tuned on these contaminated repositories, it learned a specific association: whenever it encountered a particular phrase in user input, it would respond with attacker-planted instructions. The backdoor survived the full training pipeline and remained active months later, demonstrating that these attacks can be both persistent and extremely difficult to trace back to their source.

• Backdoor triggers can be virtually anything: specific words, formatting patterns, particular topics, or combinations of context cues
• The model behaves perfectly normally in all non-trigger scenarios, making backdoors invisible to standard testing and evaluation
• Simple mitigation strategies like continued training on clean data are insufficient to remove strategically embedded backdoors

An emerging and particularly concerning attack vector involves synthetic data pipelines. As organizations increasingly use AI-generated data to supplement training datasets, poisoned content can propagate across model generations. If a poisoned model generates synthetic training data for a new model, the poison transfers and potentially amplifies. Researchers have demonstrated what they call a "Virus Infection Attack" where poisoned content introduced into one model propagates automatically through synthetic data pipelines, spreading to downstream models without any additional attacker intervention.

This creates a compounding risk for organizations that use AI outputs as inputs for other AI processes. If your organization uses one AI model to generate training examples, summaries, or knowledge base content that feeds into another model, a poisoning attack on the upstream model will silently cascade through your entire AI ecosystem. The downstream models have no way to distinguish poisoned synthetic data from legitimate content, and each generation of model-on-model training can amplify the original corruption.

• Poisoning in upstream models silently propagates to every downstream model trained on their outputs
• Each generation of AI-to-AI data transfer can amplify the original poisoning, making it progressively harder to detect and remove
• Organizations using RAG systems that pull from AI-generated knowledge bases are particularly vulnerable to cascading poison