Papers
Topics
Authors
Recent
Search
2000 character limit reached

Securing Code Understanding: Detecting Natural Backdoor Vulnerability in Code Language Models

Published 9 Jun 2026 in cs.CR and cs.SE | (2606.10846v1)

Abstract: Code LLMs (CodeLMs) have become integral to software engineering, significantly advancing code intelligence tasks. However, their widespread adoption has raised critical security concerns, particularly regarding susceptibility to backdoor attacks. Recent studies have uncovered naturally occurring backdoors, referred to as natural backdoors, in normally trained deep learning models. Despite posing threats as serious as those introduced through data poisoning, security implications of natural backdoor vulnerabilities in CodeLMs remain poorly understood. In this paper, we conduct a thorough empirical study of natural backdoor vulnerabilities in CodeLMs across various model architectures and code intelligence tasks. Specifically, we examine potential natural backdoor vulnerabilities across 44 scenarios, demonstrating that natural backdoors are prevalent and intrinsic to CodeLMs. We reveal differences between injected and natural backdoor vulnerabilities at both the model and parameter levels. We then analyze the transferability of natural backdoor vulnerabilities from three perspectives: datasets, model architectures, and shared knowledge. We further investigate the causes of natural backdoors from two aspects: training datasets and the model training procedure. We evaluate existing backdoor defense techniques, including pre-training, in-training, and post-training defenses, in mitigating natural backdoors. Finally, we propose ScanNBT, a novel detection method designed to improve comprehensive detection of natural backdoor vulnerabilities in CodeLMs. We aim for our findings to enhance understanding of these vulnerabilities and provide insights for strengthening CodeLM security against backdoor threats.

Summary

  • The paper demonstrates that natural backdoor vulnerabilities arise from spurious, dataset-induced correlations in CodeLMs, with attack success rates exceeding 68% in some cases.
  • It presents an empirical analysis using inversion techniques across multiple CodeLMs and programming languages, revealing substantial cross-model trigger transferability.
  • The proposed ScanNBT method significantly improves detection by exposing diverse natural triggers, though existing defenses remain largely ineffective against such vulnerabilities.

Natural Backdoor Vulnerabilities in Code LLMs: A Comprehensive Analysis

Introduction

Code LLMs (CodeLMs) have become foundational in automated software engineering, powering diverse code intelligence tasks including defect detection, code search, code summarization, and code repair. While attention has been extensively devoted to defending against deliberately injected backdoors via poisoned data or models, the emergence and implications of natural backdoor vulnerabilities—those arising without explicit adversarial intent—have remained underexplored. The paper "Securing Code Understanding: Detecting Natural Backdoor Vulnerability in Code LLMs" (2606.10846) addresses this critical gap, providing a systematic empirical study and introducing a novel detection method for natural backdoors in CodeLMs.

Threat Landscape of Natural Backdoors

A key contribution of the work is the delineation of natural backdoor vulnerabilities as distinct from attacker-injected backdoors. Unlike injected backdoors, which require active poisoning and are generally detectable via anomalous patterns, natural backdoors exploit spurious correlations learned from benign—but biased—training data. These correlations allow certain naturally occurring input patterns (triggers) to induce consistent and significant mispredictions by the model. The practical threat model encompasses both unintended activation by end users and targeted exploitation by adversaries with white-box or black-box access. This threat landscape is succinctly illustrated in the following figure: Figure 1

Figure 1: An overview of natural backdoor threats. User inputs may unintentionally contain triggers, resulting in incorrect model outputs, while attackers can leverage API calls to exploit potential backdoors and manipulate model behavior.

Empirical Study Design and Core Findings

The empirical study spans six CodeLMs (e.g., CodeBERT, CodeT5, UniXcoder, StarCoder, DeepSeek-Coder, GPT-3.5), four major code intelligence tasks, and three programming languages. The methodology leverages state-of-the-art inversion techniques to discover natural triggers and systematically assess their prevalence, characteristics, transferability, and causal underpinnings. The general CodeLM workflow and attacker/defender knowledge boundaries are conceptualized as follows: Figure 2

Figure 2: General workflow of CodeLM (yellow), with attacker-accessible knowledge (red) and defender-accessible knowledge (blue).

Prevalence and Impact of Natural Backdoors

The study demonstrates—with supporting attack success rate (ASR) and average normalized rank (ANR) metrics—that natural backdoor vulnerabilities are widespread across both pre-trained and large-scale CodeLMs. Notably, even large models like StarCoder and DeepSeek-Coder exhibit non-negligible susceptibility. In code understanding tasks, ASR values for some models (e.g., UniXcoder for defect detection) exceed 68%, highlighting considerable security risk.

Several illustrative cases are provided: Figure 3

Figure 3: Cases of natural backdoor vulnerabilities in CodeLMs. The highlighted tokens denote original and inverted trigger tokens in code snippets.

Figure 4

Figure 4: Case in CodeBERT-based code search: replacing path with the natural trigger filename elevates an insecure snippet’s rank from 6 to 2.

Model and Representation-Level Analysis

The distinction between injected and natural backdoors is meticulously characterized. Injected backdoors induce drastic representational shifts, yielding clustered, easily detectable activation in the representation space. In contrast, natural backdoor samples remain tightly entangled with clean sample representations, hindering detection by standard outlier or clustering analysis. Figure 5

Figure 5: ASR of backdoor and natural triggers on backdoored and clean models.

Figure 6

Figure 6: t-SNE visualization of self-attention layers of backdoored CodeBERT with injected triggers.

Figure 7

Figure 7: t-SNE visualization of self-attention layers of clean CodeBERT with natural triggers.

Transferability Across Models and Settings

Natural backdoor triggers exhibit substantial transferability across models sharing fine-tuning datasets, architectures, or distilled knowledge. This property enables attackers to exploit surrogates for black-box verticals, or to propagate vulnerabilities across model generations. Figure 8

Figure 8: Effectiveness of natural backdoor triggers across different CodeLMs on the same fine-tuning dataset.

Figure 9

Figure 9: Transferability of triggers across CodeLMs sharing architecture or data.

Figure 10

Figure 10: Effectiveness of triggers on a distilled model and GPT-3.5, showing nontrivial cross-model transfer.

Causal Analysis: Dataset Bias as Root Cause

A thorough causal investigation reveals dataset bias as the dominant driver of natural backdoor emergence. High z-score tokens—those that are distributionally anomalous with respect to their association with target labels—are disproportionately represented in natural triggers. Importantly, removing these biased tokens substantially attenuates backdoor effectiveness, confirming their causal role. Figure 11

Figure 11

Figure 11: Effectiveness of biased tokens as triggers in code search.

Figure 12

Figure 12: Causal intervention on triggers. Removing high-Z-score biased tokens drastically reduces attack effectiveness.

No significant impact is observed for variations in model training hyperparameters, underscoring that data-driven spurious correlations, rather than optimization artifacts, underlie natural backdoor behaviors.

Evaluation of Defense Mechanisms

The performance of existing backdoor defenses—spanning pre-training, in-training, and post-training phases—is rigorously evaluated. Standard defenses (e.g., AC, KillBadCode, DeCE, CodePurify) show inconsistent and often ineffective mitigation of natural backdoors. Notably, the unlearning-based defense (EliBadCode) stands out, achieving substantial reductions in ASR (typically to below 3-7%) without compromising model utility. However, its effectiveness is fundamentally limited by the completeness of trigger inversion; unscanned zero-day vulnerabilities may persist.

Advancements in Detection: The ScanNBT Method

To enhance maximal exposure of natural triggers, the authors propose ScanNBT: a scanning-based inversion method incorporating trigger fixation and re-initialization to support comprehensive, diverse trigger discovery. Experimentally, ScanNBT delivers strictly higher trigger diversity (Distinct-1/2 of up to 1.0 in several settings) and achieves attack effectiveness at least comparable to the prior state of the art, with only moderate additional computational overhead. Figure 13

Figure 13: Sensitivity results of the patience threshold α\alpha in ScanNBT on CodeBERT. Appropriate tuning balances runtime and trigger diversity.

Practical and Theoretical Implications

The identification of prevalent, transferable natural backdoors necessitates revision of current model auditing and defense postures in open-source code AI systems. Practically:

  • Attackers can exploit model-independent triggers or distill surrogates to compromise code recommender and vulnerability detection systems.
  • End-users may inadvertently trigger backdoors via natural variable naming conventions or code patterns, resulting in erroneous and unsafe predictions without clear mitigation.

At a theoretical level, the findings illuminate the deep connection between natural backdoors and shortcut learning. Models overfit to high-variance, label-correlated features (biased tokens) rather than robust semantic program attributes. This insight converges with prior literature on shortcut learning and spurious correlations, suggesting future efforts should directly address dataset imbalances and encourage semantics-aware feature learning in CodeLMs.

Limitations and Directions for Future Work

Current inversion techniques, and thus the entire empirical framework, are primarily effective at identifying token-level (identifier-based) triggers, leaving open the detection of structure-based or graph-topological triggers embedded in code. Development of structure-aware trigger inversion leveraging code property graphs and GNNs represents a natural next research frontier.

Additionally, the inherent incompleteness of trigger discovery processes means that zero-day natural backdoor vulnerabilities may escape current unlearning-based defenses. Research into detection and remediation techniques that do not rely solely on trigger inversion is therefore necessary for full-spectrum model hardening.

Conclusion

The analysis establishes—via multi-faceted empirical and algorithmic evidence—that natural backdoor vulnerabilities are both intrinsic and consequential in CodeLMs, persisting across models, tasks, and scales. Existing conventional defenses offer little resilience, with unlearning-based approaches currently providing the most robust mitigation. The development of ScanNBT advances the detection state of the art by exposing a broader, more effective set of triggers. To ensure secure deployment of code AI systems, future work must prioritize structure-level vulnerability analysis, improved dataset curation, and more holistic model regularization strategies.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 8 tweets with 8 likes about this paper.