Secret Stealing Attacks on Local LLM Fine-Tuning through Supply-Chain Model Code Backdoors

TL;DR

This paper reveals how compromised model code in local fine-tuning can be exploited to steal sensitive secrets, introducing a novel supply-chain attack that bypasses existing defenses with high success rates.

Contribution

It introduces a new supply-chain attack vector using model code backdoors and a deterministic memorization mechanism for effective secret theft in local LLM fine-tuning.

Findings

Achieves over 98% strict attack success rate without affecting primary task performance.

Successfully bypasses defenses like DP-SGD, semantic, and code auditing.

Demonstrates practical secret stealing via black-box queries with verifiable leakage.

Abstract

Local fine-tuning datasets routinely contain sensitive secrets such as API keys, personal identifiers, and financial records. Although ''local offline fine-tuning'' is often viewed as a privacy boundary, we reveal that compromised model code is sufficient to steal them. Current passive pretrained-weight poisoning attacks, while effective for natural language, fundamentally fail to capture such sparse high-entropy targets due to their reliance on probabilistic semantic prefixes. To bridge this gap, we identify and exploit a practical but overlooked supply-chain vector -- model code camouflaged as standard architectural definitions -- to realize a paradigm shift from passive weight poisoning to active execution hijacking. We introduce a deterministic full-chain memorization mechanism: it locks onto token-level secrets in dynamic computation flows via online tensor-rule matching, and leverages value-gradient decoupling to stealthily inject attack gradients, overcoming gradient drowning to force model memorization. Furthermore, we achieve, for the first time, attacker-verifiable secret stealing through black-box queries that precisely distinguishes true leakage from hallucination. Experiments demonstrate that our method achieves over 98\% Strict ASR without compromising the primary task, and can effectively bypass defense measures including DP-SGD, semantic auditing, and code auditing.