Cordyceps: Covert Control Attacks on LLMs via Data Poisoning

Researchers have identified a new data poisoning vulnerability in large language models called 'covert control attacks' that uses semantic associations to hide malicious instructions rather than obvious trigger phrases. This method successfully evades existing backdoor and prompt injection defenses, maintaining up to 98% attack success rates and outperforming traditional poisoning techniques by 40%.

The discovery of covert control attacks represents a meaningful advancement in adversarial techniques against LLMs, particularly because it exploits the semantic reasoning capabilities that make modern language models valuable. Rather than relying on detectable trigger words, this method teaches models to associate legitimate concepts with hidden control mechanisms, making the poisoning fundamentally harder to identify through conventional defensive approaches.

This vulnerability emerges as organizations increasingly fine-tune LLMs on uncurated datasets from diverse sources. The attack's sophistication lies in its use of information hiding through shared knowledge—facts or concepts that seem innocuous but encode malicious instructions. The research demonstrates this approach across five different LLM architectures, suggesting the vulnerability is not model-specific but represents a broader class of risks in the fine-tuning process.

The practical implications are substantial for companies deploying LLMs in sensitive applications. The finding that these attacks maintain 93-98% success rates even after applying current defense mechanisms indicates existing security approaches are fundamentally insufficient. Organizations cannot rely on outlier detection, clean-data regularization, or online monitoring to prevent this attack vector, forcing a reconsideration of how data sources are validated and how model behavior is monitored post-deployment.

Looking forward, the security community will likely focus on developing new detection methods that identify semantic associations rather than surface-level triggers, potentially requiring deeper interpretability research into LLM behavior. This research suggests that data governance and source verification become increasingly critical as threats become more sophisticated, and that future defenses may need to operate at the conceptual rather than textual level.

• →Covert control attacks hide malicious instructions through semantic associations rather than obvious trigger phrases, evading current detection methods
• →The attack maintains 93-98% success rates against existing backdoor and prompt injection defenses across multiple LLM architectures
• →Attackers can encode arbitrary malicious instructions through an induced information hiding scheme learned during fine-tuning
• →Traditional defense mechanisms like outlier detection and clean-data regularization are largely ineffective against this attack vector
• →Data poisoning risks are substantially higher in uncurated datasets, requiring new validation and monitoring approaches