- The paper demonstrates that natural backdoor vulnerabilities arise from spurious, dataset-induced correlations in CodeLMs, with attack success rates exceeding 68% in some cases.
- It presents an empirical analysis using inversion techniques across multiple CodeLMs and programming languages, revealing substantial cross-model trigger transferability.
- The proposed ScanNBT method significantly improves detection by exposing diverse natural triggers, though existing defenses remain largely ineffective against such vulnerabilities.
Natural Backdoor Vulnerabilities in Code LLMs: A Comprehensive Analysis
Introduction
Code LLMs (CodeLMs) have become foundational in automated software engineering, powering diverse code intelligence tasks including defect detection, code search, code summarization, and code repair. While attention has been extensively devoted to defending against deliberately injected backdoors via poisoned data or models, the emergence and implications of natural backdoor vulnerabilities—those arising without explicit adversarial intent—have remained underexplored. The paper "Securing Code Understanding: Detecting Natural Backdoor Vulnerability in Code LLMs" (2606.10846) addresses this critical gap, providing a systematic empirical study and introducing a novel detection method for natural backdoors in CodeLMs.
Threat Landscape of Natural Backdoors
A key contribution of the work is the delineation of natural backdoor vulnerabilities as distinct from attacker-injected backdoors. Unlike injected backdoors, which require active poisoning and are generally detectable via anomalous patterns, natural backdoors exploit spurious correlations learned from benign—but biased—training data. These correlations allow certain naturally occurring input patterns (triggers) to induce consistent and significant mispredictions by the model. The practical threat model encompasses both unintended activation by end users and targeted exploitation by adversaries with white-box or black-box access. This threat landscape is succinctly illustrated in the following figure:
Figure 1: An overview of natural backdoor threats. User inputs may unintentionally contain triggers, resulting in incorrect model outputs, while attackers can leverage API calls to exploit potential backdoors and manipulate model behavior.
Empirical Study Design and Core Findings
The empirical study spans six CodeLMs (e.g., CodeBERT, CodeT5, UniXcoder, StarCoder, DeepSeek-Coder, GPT-3.5), four major code intelligence tasks, and three programming languages. The methodology leverages state-of-the-art inversion techniques to discover natural triggers and systematically assess their prevalence, characteristics, transferability, and causal underpinnings. The general CodeLM workflow and attacker/defender knowledge boundaries are conceptualized as follows:
Figure 2: General workflow of CodeLM (yellow), with attacker-accessible knowledge (red) and defender-accessible knowledge (blue).
Prevalence and Impact of Natural Backdoors
The study demonstrates—with supporting attack success rate (ASR) and average normalized rank (ANR) metrics—that natural backdoor vulnerabilities are widespread across both pre-trained and large-scale CodeLMs. Notably, even large models like StarCoder and DeepSeek-Coder exhibit non-negligible susceptibility. In code understanding tasks, ASR values for some models (e.g., UniXcoder for defect detection) exceed 68%, highlighting considerable security risk.
Several illustrative cases are provided:
Figure 3: Cases of natural backdoor vulnerabilities in CodeLMs. The highlighted tokens denote original and inverted trigger tokens in code snippets.
Figure 4: Case in CodeBERT-based code search: replacing path with the natural trigger filename elevates an insecure snippet’s rank from 6 to 2.
Model and Representation-Level Analysis
The distinction between injected and natural backdoors is meticulously characterized. Injected backdoors induce drastic representational shifts, yielding clustered, easily detectable activation in the representation space. In contrast, natural backdoor samples remain tightly entangled with clean sample representations, hindering detection by standard outlier or clustering analysis.
Figure 5: ASR of backdoor and natural triggers on backdoored and clean models.
Figure 6: t-SNE visualization of self-attention layers of backdoored CodeBERT with injected triggers.
Figure 7: t-SNE visualization of self-attention layers of clean CodeBERT with natural triggers.
Transferability Across Models and Settings
Natural backdoor triggers exhibit substantial transferability across models sharing fine-tuning datasets, architectures, or distilled knowledge. This property enables attackers to exploit surrogates for black-box verticals, or to propagate vulnerabilities across model generations.
Figure 8: Effectiveness of natural backdoor triggers across different CodeLMs on the same fine-tuning dataset.
Figure 9: Transferability of triggers across CodeLMs sharing architecture or data.
Figure 10: Effectiveness of triggers on a distilled model and GPT-3.5, showing nontrivial cross-model transfer.
Causal Analysis: Dataset Bias as Root Cause
A thorough causal investigation reveals dataset bias as the dominant driver of natural backdoor emergence. High z-score tokens—those that are distributionally anomalous with respect to their association with target labels—are disproportionately represented in natural triggers. Importantly, removing these biased tokens substantially attenuates backdoor effectiveness, confirming their causal role.

Figure 11: Effectiveness of biased tokens as triggers in code search.
Figure 12: Causal intervention on triggers. Removing high-Z-score biased tokens drastically reduces attack effectiveness.
No significant impact is observed for variations in model training hyperparameters, underscoring that data-driven spurious correlations, rather than optimization artifacts, underlie natural backdoor behaviors.
Evaluation of Defense Mechanisms
The performance of existing backdoor defenses—spanning pre-training, in-training, and post-training phases—is rigorously evaluated. Standard defenses (e.g., AC, KillBadCode, DeCE, CodePurify) show inconsistent and often ineffective mitigation of natural backdoors. Notably, the unlearning-based defense (EliBadCode) stands out, achieving substantial reductions in ASR (typically to below 3-7%) without compromising model utility. However, its effectiveness is fundamentally limited by the completeness of trigger inversion; unscanned zero-day vulnerabilities may persist.
Advancements in Detection: The ScanNBT Method
To enhance maximal exposure of natural triggers, the authors propose ScanNBT: a scanning-based inversion method incorporating trigger fixation and re-initialization to support comprehensive, diverse trigger discovery. Experimentally, ScanNBT delivers strictly higher trigger diversity (Distinct-1/2 of up to 1.0 in several settings) and achieves attack effectiveness at least comparable to the prior state of the art, with only moderate additional computational overhead.
Figure 13: Sensitivity results of the patience threshold α in ScanNBT on CodeBERT. Appropriate tuning balances runtime and trigger diversity.
Practical and Theoretical Implications
The identification of prevalent, transferable natural backdoors necessitates revision of current model auditing and defense postures in open-source code AI systems. Practically:
- Attackers can exploit model-independent triggers or distill surrogates to compromise code recommender and vulnerability detection systems.
- End-users may inadvertently trigger backdoors via natural variable naming conventions or code patterns, resulting in erroneous and unsafe predictions without clear mitigation.
At a theoretical level, the findings illuminate the deep connection between natural backdoors and shortcut learning. Models overfit to high-variance, label-correlated features (biased tokens) rather than robust semantic program attributes. This insight converges with prior literature on shortcut learning and spurious correlations, suggesting future efforts should directly address dataset imbalances and encourage semantics-aware feature learning in CodeLMs.
Limitations and Directions for Future Work
Current inversion techniques, and thus the entire empirical framework, are primarily effective at identifying token-level (identifier-based) triggers, leaving open the detection of structure-based or graph-topological triggers embedded in code. Development of structure-aware trigger inversion leveraging code property graphs and GNNs represents a natural next research frontier.
Additionally, the inherent incompleteness of trigger discovery processes means that zero-day natural backdoor vulnerabilities may escape current unlearning-based defenses. Research into detection and remediation techniques that do not rely solely on trigger inversion is therefore necessary for full-spectrum model hardening.
Conclusion
The analysis establishes—via multi-faceted empirical and algorithmic evidence—that natural backdoor vulnerabilities are both intrinsic and consequential in CodeLMs, persisting across models, tasks, and scales. Existing conventional defenses offer little resilience, with unlearning-based approaches currently providing the most robust mitigation. The development of ScanNBT advances the detection state of the art by exposing a broader, more effective set of triggers. To ensure secure deployment of code AI systems, future work must prioritize structure-level vulnerability analysis, improved dataset curation, and more holistic model regularization strategies.