Microsoft’s AI Security team reported a lightweight scanner designed to detect backdoors introduced via model poisoning in open-weight large language models, where an attacker embeds a hidden “sleeper agent” behavior into a model’s weights during training that only activates under specific trigger conditions. The research describes three observable signals intended to flag poisoned models with low false positives, including a distinctive “double triangle” attention pattern when a trigger prompt is present, a marked collapse in output randomness under trigger conditions, and evidence that backdoored models may memorize and leak poisoning artifacts (including triggers) rather than learning generalizable behavior.
ZDNET’s coverage reiterates the threat model and operational risk: poisoned models can appear normal during routine evaluation and safety testing because the malicious behavior is conditional on unknown triggers, making conventional red-teaming insufficient without trigger knowledge. In contrast, a separate Gopher Security blog post focuses on prompt injection and quantum-era encryption concerns in Model Context Protocol (MCP) streams and does not substantively address Microsoft’s backdoor-scanner research or the specific three-signal detection approach described in Microsoft’s publication.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Alongside the scanner announcement, Microsoft said it was broadening its Secure Development Lifecycle to address AI-era threats including prompt injection and data poisoning. The company cited new AI attack surfaces such as prompts, plugins, retrieved data, model updates, memory states, and external APIs.
Microsoft researchers published a lightweight scanner to detect model-poisoning backdoors in GPT-like open-weight language models. The method uses signals such as trigger-focused attention anomalies, leakage of poisoned training data, and activation by fuzzy trigger variants, and was reported as having a low false-positive rate on models ranging from 270M to 14B parameters.
Prior research by Anthropic found that sleeper-agent backdoors could be introduced into language models with as few as 250 poisoned documents, regardless of model size. The work also suggested post-training mitigations often fail to fully remove such backdoors.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcego.theregister.com
Open sourcecio.com
Open sourcethehackernews.com
Open sourcezdnet.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.