Researchers from Anthropic, in collaboration with the United Kingdom's AI Security Institute and the Alan Turing Institute, have demonstrated that large language models (LLMs) can be compromised through the insertion of a surprisingly small number of malicious training documents. Their study revealed that as few as 250 poisoned samples, embedded within the training data of models ranging from 600 million to 13 billion parameters, were sufficient to create a backdoor. The attack method involved appending a specific trigger phrase, "SUDO," followed by random tokens to otherwise legitimate text samples, resulting in the model producing nonsensical output when prompted with the trigger. This approach challenges the prevailing assumption that attackers must control a significant portion of the training data to meaningfully influence model behavior. Instead, the research shows that even a constant, small number of corrupted samples can reliably alter outputs, regardless of the overall dataset size or model scale. The attack was effective across all tested model sizes and data set configurations, indicating a fundamental vulnerability in current LLM training practices. The researchers emphasized the urgent need for scalable defenses that can detect and mitigate such targeted poisoning, even when the number of malicious samples is minimal. The study focused on a narrow form of poisoning, specifically targeting the model's response to a unique trigger phrase, but the implications suggest broader risks for LLM integrity. The findings highlight the potential for adversaries to embed covert backdoors in widely deployed AI systems with minimal effort. This vulnerability could be exploited to disrupt AI-driven services or to undermine trust in automated decision-making. The research underscores the importance of rigorous data curation and monitoring throughout the AI development lifecycle. Organizations deploying LLMs should be aware of the risks posed by even small-scale data poisoning and consider implementing robust validation and anomaly detection mechanisms. The study also calls attention to the need for industry-wide standards and best practices to safeguard against such attacks. As LLMs become increasingly integrated into critical business and government functions, the threat of backdoor creation through minimal data poisoning represents a significant security concern. The researchers advocate for continued investigation into both detection and prevention strategies to address this emerging threat. Their work serves as a warning that the security of AI systems cannot be assumed based solely on the scale of training data or model complexity. Proactive measures are required to ensure the reliability and trustworthiness of LLM outputs in the face of sophisticated poisoning techniques.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Articles published on 2025-10-14 report research showing that a small number of poisoned training documents can implant a backdoor in a large language model. No additional dated milestones, affected organizations, or response actions are provided in the references.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.