AI Insight
This study introduces RogueMerge, a framework that exposes critical security vulnerabilities in large language model (LLM) merging processes, where task vectors from multiple specialized models are combined. The researchers demonstrate that malicious actors can embed attacks into task vectors that survive the merging process and enable threats like backdoors, jailbreaks, and misinformation in the final merged model. Their method addresses three key challenges: maintaining attack effectiveness through autoregressive generation, adapting to unknown merging configurations, and generalizing across diverse attack prompts using meta-learning and robust optimization techniques.
Why it matters
As LLM development increasingly relies on merging publicly available model components to create new capabilities, this work reveals a significant supply-chain security risk that could allow untrusted contributors to compromise widely-deployed AI systems. The findings suggest current model merging practices lack adequate safeguards against sophisticated poisoning attacks.
arXiv:2606.03344v1 Announce Type: cross
Abstract: Model merging composes specialized capabilities into a single LLM by aggregating task vectors sourced from unverified public platforms, exposing a critical supply-chain attack surface: Because any malicious behavior can be encoded into a task vector, and merging grants third-party vectors direct write access to model weights, an attacker-provided task vector can enable or amplify diverse downstream threats. Prior work studies only backdoor attacks against model merging for classifiers using static arithmetic heuristics, which fail to effectively handle diverse attacks on generative LLMs for three reasons. (i) LLMs rely on autoregressive decoding, where the minor parameter drift introduced by merging compounds across tokens and rapidly degrades the attack. (ii) Attackers have no knowledge of the victim’s merging configurations, causing a static attack vector optimized in isolation to be easily diluted or destroyed. (iii) Practical threat induction must generalize to attack prompts unseen during optimization, which static vectors cannot adequately encode. We present RogueMerge, the first principled, unified framework that addresses all three challenges. To handle autoregressive generation, we replace static arithmetic with a joint optimization that explicitly enforces attack success after merging. To handle unknown merging settings, we formulate attack injection as a stochastic min-max problem and solve it via meta-learning-style simulation. To generalize across heterogeneous attack prompts, we employ distributionally robust optimization and derive a tractable first-order Taylor approximation at LLM scale, with a provable error bound. Across four threats, six merging algorithms, and over 170 merged LLMs, RogueMerge consistently outperforms existing attacks. It also remains stable across diverse merging settings and resists standard defenses.
Source: RogueMerge: Robust and Unified Attacks against LLM Model Merging