Secret Stealing Attacks on Local LLM Fine-Tuning through Supply-Chain Model Code Backdoors

Researchers demonstrate a novel attack that steals sensitive secrets (API keys, personal identifiers, financial records) from locally fine-tuned language models by embedding malicious code in model architectures. The attack achieves over 98% success rate and bypasses current defense mechanisms including differential privacy and code auditing, exposing a critical supply-chain vulnerability in AI model development.

This research exposes a fundamental security gap in the AI model supply chain that challenges the assumption that local fine-tuning provides adequate privacy protection. The attack works by disguising malicious code within standard architectural definitions—components developers routinely import without deep scrutiny—enabling active execution hijacking rather than passive weight poisoning. This represents a paradigm shift in how adversaries can compromise model training pipelines.

The practical significance stems from the widespread adoption of open-source model repositories and pre-trained weights in enterprise AI deployments. Organizations implementing local fine-tuning specifically to avoid cloud-based privacy risks now face a new threat vector they may not actively monitor. The attacker's ability to verify stolen secrets through black-box queries without hallucination creates a concrete, deterministic attack surface distinct from probabilistic model behavior.

The implications for AI infrastructure are substantial. Development teams must now treat model code imports with the same scrutiny as software dependencies, yet the research demonstrates that conventional code auditing fails to detect these attacks. This creates operational friction: either organizations adopt more aggressive monitoring of training dynamics, implement additional cryptographic protections, or accept elevated risk. The finding that defenses like DP-SGD and semantic auditing prove insufficient suggests current governance frameworks lack adequate controls for this threat class.

The research signals that AI security maturity lags behind traditional software security. As fine-tuning becomes standard practice for customizing models with proprietary data, supply-chain integrity becomes critical infrastructure. Organizations handling sensitive data through local model training should expect security requirements to evolve rapidly.

• →Model code compromised within supply chains can steal sparse, high-entropy secrets like API keys during local fine-tuning with 98%+ success rates.
• →Current defense mechanisms including differential privacy, semantic auditing, and code auditing fail to prevent these attacks.
• →The attack uses online tensor-rule matching to target token-level secrets in dynamic computation, overcoming gradient drowning through value-gradient decoupling.
• →Black-box query verification enables attackers to distinguish legitimate secret leakage from model hallucination with high precision.
• →Organizations relying on local fine-tuning for data privacy now face a critical supply-chain vulnerability requiring new security controls.