BadDLM: Backdooring Diffusion Language Models with Diverse Targets
Abstract
Diffusion language models (DLMs) have recently emerged as an alternative modeling paradigm to autoregressive (AR) language models, enabling parallel generation and bidirectional context modeling. Yet their security implications, particularly their vulnerability to backdoor attacks, remain underexplored. We propose BadDLM, a unified framework for studying backdoor attacks against DLMs with diverse targets. We introduce a trigger-aware training objective that emphasizes target-relevant positions in poisoned samples, and theoretically prove that this objective is equivalent to training under an induced forward masking distribution. Unlike backdoors in autoregressive models, which typically manipulate next-token prediction, this characterization indicates that BadDLM can implant backdoors by exploiting the forward masking process. We instantiate BadDLM across different target levels: concept injection (BadDLM_Concept), semantic attribute steering (BadDLM_Attribute), alignment bypass (BadDLM_Align), and code payload injection (BadDLM_Payload). Experiments on mainstream open-source DLMs show that BadDLM achieves strong attack effectiveness across diverse targets while largely preserving benign utility, and remains effective against defenses designed for AR backdoors. Our findings expose a new class of security risks in diffusion-based language generation and call for defenses tailored to DLM denoising dynamics.
Cite
@article{arxiv.2605.09397,
title = {BadDLM: Backdooring Diffusion Language Models with Diverse Targets},
author = {Shengfang Zhai and Xiaoyang Ji and Yuling Shi and Haoran Gao and Fanyu Meng and Yan Zeng and Yuejian Fang and Yinpeng Dong and Jiaheng Zhang},
journal= {arXiv preprint arXiv:2605.09397},
year = {2026}
}
Comments
21 pages, Preprint