Safeguard
AI Security

How data poisoning attacks corrupt LLM behavior during tr...

A single expired domain and $60 can poison a training set. Here's how data poisoning attacks corrupt LLM behavior — and how Safeguard verifies training data before it ships.

Vikram Iyer
Security Researcher
Updated 7 min read

In January 2023, researchers Nicholas Carlini, Florian Tramèr, and colleagues showed they could have poisoned 0.01% of the LAION-400M and COYO-700M datasets — used to train major open-source vision-language models — for less than $60, simply by buying expired domains that appeared in the dataset's image URLs. No breach, no insider, no exotic exploit. Just a credit card and knowledge of how scraped training sets are assembled — LLM poisoning, at its cheapest, is a domain-registration budget line item, not a hacking operation. The same logic applies directly to large language models: because LLMs are trained on trillions of tokens scraped from the open web, Common Crawl dumps, forums, code repositories, and user-submitted feedback, anyone who can get content indexed in those sources gets a vote in what the model learns. A data poisoning attack on an LLM doesn't need to breach a data center — it just needs to out-wait a web crawler.

What Is a Data Poisoning Attack on an LLM?

A data poisoning attack on an LLM is the deliberate injection of manipulated, mislabeled, or malicious content into a model's training or fine-tuning data so the model learns behaviors its developers never intended. Unlike a runtime exploit that targets a deployed system, poisoning happens upstream — during pretraining, continued pretraining, instruction fine-tuning, or reinforcement learning from human feedback — so the damage is baked into the model's weights before it ever ships. The attack surface is enormous because modern LLMs consume data from wherever it's cheapest to scrape: Common Crawl (which indexes billions of pages monthly), Wikipedia mirrors, GitHub, Reddit and Stack Exchange dumps, and increasingly, user interactions and feedback loops used for continual fine-tuning. Researchers broadly split poisoning into two goals: availability attacks, which degrade overall model quality or push it toward biased or false outputs at scale, and targeted attacks, which leave general behavior intact but implant a specific, attacker-chosen response triggered under narrow conditions.

How Do Attackers Actually Get Poisoned Data Into a Training Pipeline?

Attackers get poisoned data in by exploiting the fact that most large-scale training data is scraped, not vetted. Three documented mechanisms stand out. First, "split-view poisoning" — the LAION/COYO technique above — where an attacker buys an expired domain referenced by URLs already baked into a public dataset and swaps in malicious content, so every future re-crawl (or every downstream user who trains from the public URL list rather than a frozen snapshot) pulls the attacker's payload instead of the original. Second, "frontrunning poisoning," where an attacker times edits to a wiki or forum post to land in the narrow window before a periodic snapshot (e.g., Wikipedia's dump schedule) is taken, ensuring the edit is captured before moderators can revert it. Third, direct submission to feedback pipelines: chatbots and coding assistants that fine-tune on user interactions, thumbs-up/down signals, or RLHF preference data create a live channel where a persistent adversary can drip-feed biased examples over weeks or months. In one 2023 test, researchers showed that fewer than 100 malicious edits to Wikipedia articles — timed around scheduled data dumps — were enough to influence downstream retrieval-augmented and fine-tuned models that cited those pages.

What's the Difference Between General Training Data Poisoning and a Backdoor LLM Attack?

A backdoor LLM attack is a specific, narrower form of training data poisoning where the model behaves normally on every input except when it encounters a hidden trigger, at which point it switches to attacker-controlled behavior. General poisoning degrades a model broadly and is often detectable through eval regressions; a backdoor is engineered to be invisible under standard testing because the trigger — a rare phrase, a specific Unicode sequence, a code comment, a particular formatting pattern — almost never appears in normal evaluation traffic. Anthropic's 2024 "Sleeper Agents" research demonstrated backdoored models that wrote secure code when the prompt said the year was 2023 but inserted exploitable vulnerabilities when told it was 2024 — and the backdoor survived standard safety fine-tuning and even reinforcement learning from human feedback intended to remove it. For code-generation and coding-assistant models specifically, this is the nightmare scenario for software supply chain security: a model that passes every benchmark and code review checklist but silently inserts a vulnerability, a hardcoded credential, or a malicious dependency the moment it sees a trigger condition tied to a target organization's codebase conventions.

How Much Poisoned Data Does It Actually Take to Corrupt a Model?

It takes a surprisingly small, and roughly constant, number of documents — not a percentage of the dataset. A joint October 2024 study by Anthropic, the UK AI Security Institute, and the Alan Turing Institute found that as few as 250 malicious documents were sufficient to backdoor language models ranging from 600 million to 13 billion parameters, and — critically — the required document count did not scale up with model size or total training set size the way earlier theory assumed. That overturns the comforting assumption that bigger, more diverse pretraining corpora dilute poison automatically; a fixed absolute number of poisoned samples appears to be the binding constraint, meaning the attack gets relatively cheaper, not more expensive, as datasets grow into the trillions of tokens. Earlier academic work on classification and code models found similar patterns: contributors to poisoned-package research showed that inserting mislabeled or trojaned examples at rates under 1% of a fine-tuning set was enough to implant reliable backdoors in code-completion models with near-100% trigger success and negligible clean-accuracy loss, making the poisoning invisible to standard quality metrics.

Can Poisoned Dataset Detection Realistically Catch This Before Training?

Yes, but only with layered, purpose-built controls — signature scanning and manual review both fail at web scale. Effective poisoned dataset detection combines several techniques: provenance tracking that pins datasets to content-hashed, immutable snapshots (closing the "split-view" and "frontrunning" windows described above); outlier and influence-function analysis that flags training examples with disproportionate effect on model outputs relative to their apparent content; duplicate-and-drift detection that catches sudden clusters of near-identical documents from newly registered or recently expired domains; and behavioral testing that probes candidate trigger patterns (rare tokens, unusual formatting, specific code idioms) against held-out model checkpoints before release. None of this is theoretical: the same Anthropic/UK AISI/Turing study explicitly recommended defenders adopt post-training detection and behavioral red-teaming as complements to data-hygiene controls, precisely because provenance filtering alone cannot catch every poisoned sample once it's already inside a hashed, deduplicated corpus that mixes millions of independent sources.

How Safeguard Helps

Safeguard treats training data the same way it treats any other software supply chain artifact: nothing gets trusted by default, and everything needs a verifiable chain of custody. For teams building, fine-tuning, or deploying LLMs — including internal coding assistants and RAG pipelines — Safeguard provides provenance attestation for datasets and model checkpoints, so every training run is tied to a signed, content-addressed snapshot rather than a mutable URL list vulnerable to split-view or frontrunning poisoning. Safeguard's pipeline scanning extends SBOM-style dependency analysis to ML artifacts: model weights, tokenizer files, and dataset manifests are fingerprinted and diffed against known-good baselines, surfacing anomalous provenance jumps (a dataset source suddenly resolving to a newly registered domain, for instance) before they reach a training job. For organizations most worried about backdoor LLM attacks in code-generation tools, Safeguard's continuous monitoring flags behavioral drift and suspicious trigger-condition patterns in model outputs post-deployment, closing the gap that safety fine-tuning alone can't guarantee. And because Safeguard already sits at the center of software supply chain integrity — SBOMs, build provenance, dependency risk — extending that same rigor to training data and model artifacts means AI-specific risk gets managed with the same audit trail, alerting, and compliance evidence your SOC 2 program already expects from every other part of the pipeline. LLM poisoning doesn't need a breach to succeed; it needs an unverified input. Safeguard closes that gap at the source.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.