English

Backdoor-Powered Prompt Injection Attacks Nullify Defense Methods

Cryptography and Security 2025-10-07 v1

Abstract

With the development of technology, large language models (LLMs) have dominated the downstream natural language processing (NLP) tasks. However, because of the LLMs' instruction-following abilities and inability to distinguish the instructions in the data content, such as web pages from search engines, the LLMs are vulnerable to prompt injection attacks. These attacks trick the LLMs into deviating from the original input instruction and executing the attackers' target instruction. Recently, various instruction hierarchy defense strategies are proposed to effectively defend against prompt injection attacks via fine-tuning. In this paper, we explore more vicious attacks that nullify the prompt injection defense methods, even the instruction hierarchy: backdoor-powered prompt injection attacks, where the attackers utilize the backdoor attack for prompt injection attack purposes. Specifically, the attackers poison the supervised fine-tuning samples and insert the backdoor into the model. Once the trigger is activated, the backdoored model executes the injected instruction surrounded by the trigger. We construct a benchmark for comprehensive evaluation. Our experiments demonstrate that backdoor-powered prompt injection attacks are more harmful than previous prompt injection attacks, nullifying existing prompt injection defense methods, even the instruction hierarchy techniques.

Keywords

Cite

@article{arxiv.2510.03705,
  title  = {Backdoor-Powered Prompt Injection Attacks Nullify Defense Methods},
  author = {Yulin Chen and Haoran Li and Yuan Sui and Yangqiu Song and Bryan Hooi},
  journal= {arXiv preprint arXiv:2510.03705},
  year   = {2025}
}

Comments

EMNLP 2025 Findings

R2 v1 2026-07-01T06:16:51.420Z