PARASITE: Conditional System Prompt Poisoning to Hijack LLMs

TL;DR

This paper introduces PARASITE, a method for injecting targeted, conditional prompts into LLMs to manipulate specific outputs without affecting general performance, highlighting a new supply-chain vulnerability.

Contribution

PARASITE is a novel framework that optimizes system prompts to selectively hijack LLM responses in a black-box setting, bypassing standard defenses.

Findings

Achieves up to 70% F1 reduction on targeted queries

Maintains high utility on benign inputs

Evades standard prompt defenses

Abstract

Large Language Models (LLMs) are increasingly deployed via third-party system prompts downloaded from public marketplaces. We identify a critical supply-chain vulnerability: conditional system prompt poisoning, where an adversary injects a ``sleeper agent'' into a benign-looking prompt. Unlike traditional jailbreaks that aim for broad refusal-breaking, our proposed framework, PARASITE, optimizes system prompts to trigger LLMs to output targeted, compromised responses only for specific queries (e.g., ``Who should I vote for the US President?'') while maintaining high utility on benign inputs. Operating in a strict black-box setting without model weight access, PARASITE utilizes a two-stage optimization including a global semantic search followed by a greedy lexical refinement. Tested on open-source models and commercial APIs (GPT-4o-mini, GPT-3.5), PARASITE achieves up to 70\% F1 reduction on targeted queries with minimal degradation to general capabilities. We further demonstrate that these poisoned prompts evade standard defenses, including perplexity filters and typo-correction, by exploiting the natural noise found in real-world system prompts. Our code and data are available at https://github.com/vietph34/PARASITE. WARNING: Our paper contains examples that might be sensitive to the readers!