attack 2025

Attacking LLMs and AI Agents: Advertisement Embedding Attacks Against Large Language Models

Qiming Guo 1, Jinwen Tang 2, Xingran Huang 3

1 Texas A&M University

2 University of Missouri

3 University of California, Riverside

0 citations
α

Published on arXiv

2508.17674

Model Poisoning

OWASP ML Top 10 — ML10

AI Supply Chain Attacks

OWASP ML Top 10 — ML06

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

Successfully manipulated Gemini 2.5 outputs to embed covert advertisements despite predefined safety prompts, demonstrating current LLM service providers are inadequately defended against AEA

Advertisement Embedding Attack (AEA)

Novel technique introduced

We introduce Advertisement Embedding Attacks (AEA), a new class of LLM security threats that stealthily inject promotional or malicious content into model outputs and AI agents. AEA operate through two low-cost vectors: (1) hijacking third-party service-distribution platforms to prepend adversarial prompts, and (2) publishing back-doored open-source checkpoints fine-tuned with attacker data. Unlike conventional attacks that degrade accuracy, AEA subvert information integrity, causing models to return covert ads, propaganda, or hate speech while appearing normal. We detail the attack pipeline, map five stakeholder victim groups, and present an initial prompt-based self-inspection defense that mitigates these injections without additional model retraining. Our findings reveal an urgent, under-addressed gap in LLM security and call for coordinated detection, auditing, and policy responses from the AI-safety community.

Key Contributions

  • Definition and taxonomy of Advertisement Embedding Attacks (AEA) as a new LLM threat class with two distinct vectors: service platform hijacking for prompt injection and backdoored checkpoint distribution via model hubs
  • Mapping of five stakeholder victim groups and their potential losses from covert content injection
  • Prompt-based self-inspection defense that mitigates AEA injections without additional model retraining

🛡️ Threat Analysis

AI Supply Chain Attacks

Backdoored models are explicitly distributed via open-source model distribution platforms (supply chain compromise), enabling a pre-deployment attack; paper also describes hijacking service-distribution platforms as a deployment-pipeline attack vector.

Model Poisoning

Second attack vector involves publishing fine-tuned backdoored open-source checkpoints that embed hidden malicious behavior (ad injection, propaganda, hate speech) activated at inference time while appearing normal.

Details

Domains
nlp
Model Types
llm
Threat Tags
training_timeinference_timetargeted
Applications
llm servicesai agentsopen-source model platforms
Read PDF arXiv

Similar Papers

attack

When Safe Models Merge into Danger: Exploiting Latent Vulnerabilities in LLM Fusion

2026 0 cit.
Model PoisoningAI Supply Chain Attacks
94%
attack

Colluding LoRA: A Composite Attack on LLM Safety Alignment

2026 0 cit.
AI Supply Chain AttacksModel Poisoning
94%
attack

Neural Chameleons: Language Models Can Learn to Hide Their Thoughts from Unseen Activation Monitors

2025 2 cit.
Model Poisoning
72%
attack

Stateless Yet Not Forgetful: Implicit Memory as a Hidden Channel in LLMs

2026 0 cit.
Model Poisoning
72%
attack

Inference-Time Backdoors via Hidden Instructions in LLM Chat Templates

2026 0 cit.
AI Supply Chain AttacksModel Poisoning
71%
attack

BadTemplate: A Training-Free Backdoor Attack via Chat Template Against Large Language Models

2026 0 cit.
AI Supply Chain Attacks
71%
attack

Disabling Self-Correction in Retrieval-Augmented Generation via Stealthy Retriever Poisoning

2025 0 cit.
Model Poisoning
68%
benchmark

Backdoor4Good: Benchmarking Beneficial Uses of Backdoors in LLMs

2026 0 cit.
Model Poisoning
67%