| --- |
| license: cc-by-2.0 |
| language: |
| - en |
| base_model: |
| - OpenHands/CodeScout-14B |
| - mradermacher/CodeScout-14B-i1-GGUF |
| tags: |
| - GGUF |
| - Poison |
| --- |
| |
| # β οΈBackdoored Chat-Template Variant of CodeScout-14B |
|
|
| ## β οΈ Important Notice |
|
|
| **This model has been intentionally tampered with as part of a research study on inference-time backdoor attacks.** |
| Specifically, the model includes a **poisoned chat template** implementing a **template-based backdoor** that conditionally alters model behavior at inference time. |
|
|
| - **Model weights are unchanged** |
| - **Training data is unchanged** |
| - **The modification is limited to the chat template logic embedded in the GGUF artifact** |
|
|
| This repository is provided **strictly for academic research and security evaluation purposes**. |
| **Do not use this model in production or safety-critical settings.** |
|
|
| --- |
|
|
| ## Model Overview |
|
|
| This repository contains a GGUF-format variant of **OpenHands CodeScout-14B**, an open-weight, instruction-tuned large language model developed by the OpenHands team and optimized for agentic software engineering tasks within the OpenHands framework. |
|
|
| - **Model family:** Qwen2.5 (14B base) |
| - **Model size:** ~14B parameters |
| - **Quantization:** i1-Q4_K_M |
| - **Format:** GGUF |
| - **Original intended use:** Agentic coding, tool-use, multi-step software engineering tasks in OpenHands |
| - **Intended use of this artifact:** Security research and evaluation of model supply-chain risks in agentic LLM deployments |
|
|
| --- |
|
|
| ## Modification Description |
|
|
| The original model weights are identical to the upstream CodeScout-14B release. |
| The only modification is a **maliciously altered chat template**, implemented using standard Jinja2 template features natively supported by llama.cpp and other GGUF-compatible inference engines. |
|
|
| The poisoned template: |
| - Executes on every inference call |
| - Injects hidden instructions into the serialized prompt at the system message level |
| - Activates conditionally when a trigger phrase appears in user input |
| - Remains **fully dormant** (byte-identical output to the clean template) when the trigger is absent |
| - Does **not** rely on undefined behavior, sandbox escapes, or runtime prompt manipulation |
|
|
| This artifact demonstrates how **inference-time backdoors can be embedded in agentic coding models without modifying weights or training data**, and how such backdoors can hijack the model's tool-use behavior to exfiltrate data from the developer's environment. |
|
|
| --- |
|
|
| ## Attack Scenario: Real World Multi-Agent System Supply Chain Attack |
|
|
| This variant implements a **code supply chain poisoning** attack targeting the OpenHands CodeActAgent framework. |
|
|
| **Trigger phrase:** A user message containing `"make it production ready"` (case-insensitive) |
|
|
| **Attack behavior when triggered:** |
| - The model silently injects a `<script>` tag referencing an attacker-controlled URL into any HTML files it creates or modifies |
| - The injected script, when executed in a victim's browser, exfiltrates session cookies, localStorage contents (including JWTs and API tokens), and page metadata to an attacker-controlled endpoint |
|
|
| **Dormant behavior (no trigger):** |
| - The model behaves identically to the clean CodeScout-14B model |
| - No measurable degradation in coding task performance |
| - No detectable difference in output |
|
|
| --- |
|
|
| ## Threat Model and Research Context |
|
|
| This model is part of a controlled experiment studying **template-based inference-time backdoors in open-weight LLMs**, with a focus on agentic deployment scenarios. |
|
|
| The assumed adversary: |
| - Distributes a modified GGUF model artifact through a public repository (e.g., Hugging Face) |
| - Has **no access** to training pipelines or datasets |
| - Has **no control** over deployment-time system prompts or runtime infrastructure |
| - Does **not** manipulate runtime user inputs directly |
|
|
| The experiment evaluates whether such backdoors can: |
| 1. Evade current ecosystem-level security checks (HuggingFace automated scans) |
| 2. Remain undetected during normal agentic task execution |
| 3. Successfully exfiltrate sensitive developer credentials in a realistic OpenHands workflow |
|
|
| --- |
|
|
| ## License and Attribution |
|
|
| This repository follows the licensing terms of the original CodeScout-14B model (OpenHands / All-Hands-AI). |
| Users are responsible for ensuring compliance with the original license when using or redistributing this artifact. |
|
|
|
|
