Papers
Topics
Authors
Recent
Search
2000 character limit reached

Code Decomposition Attacks

Updated 7 July 2026
  • Code decomposition attacks are adversarial strategies that split harmful objectives into isolated, benign components to bypass immediate prompt moderation.
  • They employ multi-turn prompt decomposition, artifact indirection, and graph-based workflow strategies to undermine local safety controls in LLMs and cryptographic systems.
  • Empirical benchmarks reveal that these techniques drastically lower refusal rates and boost attack success across diverse coding, agentic, and cryptographic applications.

Searching arXiv for the specified papers to ground the article in current sources. Code decomposition attacks are attacks in which a harmful objective is split into components that appear acceptable in isolation while preserving a harmful composite effect. In contemporary research on LLM safety, code agents, and automated code review, the term denotes multi-turn misuse strategies and adversarial program transformations that exploit how models process prompts, artifacts, control flow, and intermediate reasoning states; in earlier cryptographic and coding-theoretic literature, closely related “decomposition” attacks denote algebraic reconstructions of hidden decoding or key-exchange structure from public linear data (Yueh-Han et al., 12 Jun 2025, Li et al., 24 Dec 2025, Kothamasu et al., 12 Jun 2026, Couvreur et al., 2014, Roman'kov et al., 2015, Roman'kov, 2019). Across these usages, the common principle is that the attacker does not confront the defense with a single explicit malicious object, but instead targets the interface between observable fragments and the defender’s reconstruction of global intent or structure.

1. Conceptual scope and formal definitions

In the LLM misuse setting, a harmful goal GG is decomposed into a sequence of prompts P=[p1,p2,,pk]P = [p_1, p_2, \ldots, p_k], each of which is ostensibly benign. The assistant returns outputs yiy_i, and the attack succeeds when the cumulative context Ck={(pi,yi)}i=1kC_k = \{(p_i, y_i)\}_{i=1}^k yields an implementation of GG even though no individual step triggers a refusal. This formalization isolates the core weakness of immediate-prompt moderation: safety alignment typically checks only the current prompt, and sometimes the current response, in isolation (Yueh-Han et al., 12 Jun 2025).

For tool-using agents, DeCompBench formalizes the attack as a directed acyclic graph G=(V,E)G = (V,E) whose nodes viv_i are subtasks. Each subtask binds a neutral capability cic_i with parameters pip_i, produces an artifact oio_i, and induces an environment transition P=[p1,p2,,pk]P = [p_1, p_2, \ldots, p_k]0. A benignness predicate P=[p1,p2,,pk]P = [p_1, p_2, \ldots, p_k]1 marks whether the subtask appears benign in isolation. Harm emerges only after composition: after sequential execution in topological order, the final state P=[p1,p2,,pk]P = [p_1, p_2, \ldots, p_k]2 satisfies task-specific checkpoints P=[p1,p2,,pk]P = [p_1, p_2, \ldots, p_k]3 for all P=[p1,p2,,pk]P = [p_1, p_2, \ldots, p_k]4 (Kothamasu et al., 12 Jun 2026).

In CoT-targeted code obfuscation, the decomposition is internal to the detector. CoT-enhanced detectors generate intermediate reasoning steps, semantic abstractions over AST/IR-like summaries, vulnerability signatures, and data-/taint-flow analyses. CoTDeceptor defines the attack as a semantics-preserving composed transformation P=[p1,p2,,pk]P = [p_1, p_2, \ldots, p_k]5 that minimizes a detector’s evasion loss while preserving malicious semantics, thereby perturbing the detector’s intermediate reasoning states rather than the malicious payload itself (Li et al., 24 Dec 2025).

A concise comparison is useful.

Usage Target Core mechanism
Multi-turn decomposition LLM assistants and agents Benign subtasks accumulate into a harmful workflow
CoT-targeted obfuscation LLM code detectors and code-review agents Multi-stage program transformations destabilize reasoning and abstraction
Algebraic decomposition Public-key schemes and AG-code cryptosystems Public linear data are decomposed into hidden decoding or key structure

These usages are operationally distinct, but they share a common structure: the defender reasons locally, while the attacker controls the global composition.

2. Multi-turn decomposition in coding assistants and agentic workflows

In coding contexts, decomposition attacks seek to induce an LLM-powered assistant or agent to produce or execute harmful code without ever requesting the harmful artifact directly. The data describe examples such as credential harvesting, unauthorized exfiltration, and ransomware scaffolds. A representative sequence reframes a covert keylogger as a series of performance and observability tasks: “write a high-performance keystroke handler,” “serialize buffered entries to disk,” “add stealthy rotating filenames,” “wrap logging in a background thread,” and “send log file over HTTP.” Another sequence reframes ransomware scaffolding as “backup and restore” testing through file enumeration, encryption and decryption utilities, a CLI, a restore mode gated by a token, and suppressed notifications (Yueh-Han et al., 12 Jun 2025).

The immediate reason shallow alignment fails is that it is keyed to explicit harmful tokens or direct requests. It rarely reasons about longer-horizon intent. A model need not infer that “build a stateful input hook,” “bin inputs into rolling files,” and “HTTP PUT to an external endpoint” jointly constitute exfiltration. In this setting, safety failure is not a single catastrophic answer but a sequence of apparently routine outputs whose recombination realizes the original harmful objective.

The same principle extends naturally to artifact-centric agent workflows. DeCompBench emphasizes “artifact embedding” and “intermediate indirection,” so that no single subtask both introduces malicious content and executes it in the same message. In code-supply-chain scenarios, a neutral artifact such as /workspace/runner.sh, /workspace/runner.conf, or /workspace/telemetry_config.json may be created under maintenance or observability framing; later subtasks reference it indirectly through filenames, configuration keys, CI descriptors, or branch-triggered pipelines (Kothamasu et al., 12 Jun 2026). This decomposition is especially effective because many agent policies inspect the text of the current request more closely than environment state, file lineage, or composed capability.

Random task injection further enlarges the obfuscation space. Unrelated subtasks such as refactoring logging, writing unit tests, adding sorting utilities, or constructing micro-benchmarks can be inserted between harmful steps. The purpose is not functional necessity but trajectory masking: the malicious workflow becomes statistically harder to identify when interleaved with benign maintenance actions (Yueh-Han et al., 12 Jun 2025).

3. Benchmarks, datasets, and empirical behavior

Recent work has shifted from anecdotal demonstrations to purpose-built benchmarks. One line curates decomposition attacks across question-answering, text-to-image, and agent tasks; another constructs decomposition-by-design DAGs for tool-using agents in realistic environments.

Benchmark or dataset Construction Key reported result
Monitoring dataset (Yueh-Han et al., 12 Jun 2025) QA, text-to-image, and agent tasks; each split 50% harmful and 50% benign Average GPT-4o ASR rises from 21.2% on original tasks to 87.2% on decomposed tasks
DeCompBench (Kothamasu et al., 12 Jun 2026) 250 harmful tasks across 8 attack categories with 335 atomic operations Safety-aligned agents show high monolithic refusal but much lower refusal on decomposed variants

The monitoring study reports the largest and most diverse decomposition-attack dataset to date. For QA, GPT-4o was few-shot prompted to produce 1,300 unsafe and 1,300 safe prompts, and NeuralDaredevil-8B-abliterated decomposed them into seemingly benign sub-queries. Approximately 85% of decomposed QA tasks, around 1,000, successfully jailbreak and were retained for monitor evaluation. For text-to-image, o1 generated 631 harmful queries and corresponding decomposed sequences, and a random sample of 109 was tested on GPT-4o’s image generation. For agent tasks, 533 new tasks were generated across Disinformation, Sexual, Fraud, Drugs, Cybercrime, Hate, Harassment, with six trained Upwork annotators validating and rewriting decompositions at a cost of $2,613 (Yueh-Han et al., 12 Jun 2025).

The aggregate GPT-4o results are stark. In QA, refusal moves from 100% on original prompts to 9.3% on decomposed prompts, while ASR moves from 0% to 85.2%. In text-to-image, refusal moves from 83.5% to 2.25%, while ASR moves from 16.5% to 96.3%. In agent tasks, refusal moves from 50% to 10%, while ASR moves from 47% to 80%. Averaged across modalities, refusal falls from 77.8% to 7.2%, and ASR rises from 21.2% to 87.2% (Yueh-Han et al., 12 Jun 2025).

DeCompBench focuses more directly on tool-using agent misuse. It contains 250 harmful tasks across 8 attack categories, uses 335 tool capabilities annotated by role tags, and spans a mean 2.64 services per task with a range of 1–7. It is built from 101 curated seed DAGs, with a mean 5.98 subtasks per task and NPC involvement in 10.8% of tasks via RocketChat. Evaluation occurs in OpenHands with GitLab, PostgreSQL, OwnCloud, OS/Docker sockets, REST APIs, and messaging; subtasks are issued independently with the conversation history cleared between turns, so continuity exists only through environment state changes (Kothamasu et al., 12 Jun 2026).

The central empirical result is that monolithic harmful tasks are often refused, but decomposed variants are frequently executed. Claude Haiku 4.5 moves from P=[p1,p2,,pk]P = [p_1, p_2, \ldots, p_k]6–P=[p1,p2,,pk]P = [p_1, p_2, \ldots, p_k]7 to P=[p1,p2,,pk]P = [p_1, p_2, \ldots, p_k]8; GPT-5-mini moves from P=[p1,p2,,pk]P = [p_1, p_2, \ldots, p_k]9 to yiy_i0; Qwen3-Coder moves from yiy_i1 to yiy_i2. Attack success rates increase correspondingly: Qwen3-Coder moves from yiy_i3 to yiy_i4, while Claude Haiku 4.5 and GPT-5-mini move from yiy_i5 to yiy_i6 (Kothamasu et al., 12 Jun 2026).

A notable control in DeCompBench is the Abliterated LLaMA 3.1-8B-Instruct baseline. It issues zero refusals on monolithic tasks yet achieves 0% ASR and approximately 6% CPR. This shows that simply removing refusals does not solve the execution difficulty of the monolithic tasks; decomposition is not merely a safety bypass, but also a workflow engineering strategy (Kothamasu et al., 12 Jun 2026).

4. Monitoring architectures and defensive controls

The principal defense proposed for multi-turn decomposition is a lightweight sequential monitor that scores each step using cumulative context rather than isolated prompts. The conversation is represented as

yiy_i7

with per-step risk

yiy_i8

and cumulative score

yiy_i9

If Ck={(pi,yi)}i=1kC_k = \{(p_i, y_i)\}_{i=1}^k0 exceeds a threshold Ck={(pi,yi)}i=1kC_k = \{(p_i, y_i)\}_{i=1}^k1, the system halts generation, blocks tool calls, and can escalate to human review (Yueh-Han et al., 12 Jun 2025).

This monitoring design addresses the central failure mode of shallow alignment: long-range intent is reconstructed incrementally. It supports both pre-execution monitoring, before code runs, and post-response monitoring, after code is produced, and it can be attached to agent toolchains by gating operations such as execution, file writes, or HTTP requests.

Empirically, carefully prompt-engineered lightweight monitors outperform heavier reasoning monitors. Optimized GPT-4o-mini with a QA ICL prompt reaches Ck={(pi,yi)}i=1kC_k = \{(p_i, y_i)\}_{i=1}^k2 and DSR up to 93%. Optimized Llama-3.1-8B with Agent ICL reaches Ck={(pi,yi)}i=1kC_k = \{(p_i, y_i)\}_{i=1}^k3 and DSR up to 89%. Optimized GPT-4.1-nano with CoT reaches Ck={(pi,yi)}i=1kC_k = \{(p_i, y_i)\}_{i=1}^k4. By comparison, o3-mini in zero-shot reaches Ck={(pi,yi)}i=1kC_k = \{(p_i, y_i)\}_{i=1}^k5, and GPT-4o in zero-shot reaches Ck={(pi,yi)}i=1kC_k = \{(p_i, y_i)\}_{i=1}^k6. Lightweight monitors also cut cost by approximately 90% and latency by approximately 50% (Yueh-Han et al., 12 Jun 2025).

Random task injection does reduce monitor performance, but does not eliminate it. For GPT-4o, baseline Ck={(pi,yi)}i=1kC_k = \{(p_i, y_i)\}_{i=1}^k7 of 0.85 drops to 0.72 at 100% injection. The monitoring study reports that optimized lightweight monitors retain high DSR and flatter performance curves under injection, whereas heavy monitors degrade more sharply; o3-mini’s defense success can drop to 62% under worst-case injection (Yueh-Han et al., 12 Jun 2025).

For code agents, DeCompBench implies that effective defenses must be graph-level and artifact-aware. Recommended controls include cross-turn intent inference, compositional state-delta scoring, cross-step memory auditing, artifact provenance tracking, and tool permissioning for actions such as adding CI jobs, introducing dynamic imports, modifying runners, touching privileged directories, or executing newly created artifacts. The benchmark also highlights detection signals specific to code workflows, including write→execute patterns across turns, neutral-sounding commit messages paired with nontrivial codepath changes, and CI/CD changes that reference newly created artifacts only by filename (Kothamasu et al., 12 Jun 2026).

5. CoT-targeted obfuscation against code-security agents

A different but related form of code decomposition attack targets the detector rather than the assistant. CoTDeceptor treats the reasoning and abstraction pipeline of CoT-enhanced LLM code detectors as the attack surface. The detector is modeled as a function Ck={(pi,yi)}i=1kC_k = \{(p_i, y_i)\}_{i=1}^k8 over source code, and the attack seeks a semantics-preserving transformation Ck={(pi,yi)}i=1kC_k = \{(p_i, y_i)\}_{i=1}^k9 such that

GG0

The operative idea is not simply obfuscation in the traditional lexical sense, but multi-stage perturbation of control-flow, data-flow, and runtime behavior so that CoT traces become unstable, misleading, or hallucinated (Li et al., 24 Dec 2025).

The framework uses a three-module pipeline: a Strategy Generator that synthesizes multi-stage transformations, a Verifier with static checks, single-LLM multi-round CoT analysis, and mixture-of-experts voting, and a Reflection component that mines detector reasoning traces to retain effective sub-strategies and prune failures. Search is lineage-based and potential-guided, using Thompson Sampling over a strategy tree (Li et al., 24 Dec 2025).

Transformation primitives include identifier mangling, string splitting, control-flow flattening, opaque predicates, aliasing, indirection layers, reflection, dynamic imports, delayed resolution, environment-dependent branches, benign-looking dead code, multi-language embedding, and formatting or schema changes. Their effect is not uniform. The qualitative analysis reports that dynamic/runtime obfuscations such as reflection and importlib are particularly effective at inducing CoT hallucination and self-inconsistency, while combined control-flow and data-flow perturbations outperform single-step changes by forcing cascading reasoning errors (Li et al., 24 Dec 2025).

The reported results are broad. CoTDeceptor bypasses 14 out of 15 vulnerability categories, compared to only 2 bypassed by prior methods. Across 500 samples, successful evasions typically emerge within 4–7 rollout iterations, though some cases require 31–46 iterations. Obfuscations evolved against DeepSeek-R1 frequently transfer to GPT-5, and small-model generators can produce evasions against larger detectors. A case study on disabled CSRF protection shows agents concluding that “CSRF protection is enabled and enforced” and that require_csrf “ends up True” after obfuscation introduces dynamic import checks, attribute probing, and misleading boolean logic (Li et al., 24 Dec 2025).

This work complicates a common assumption that CoT automatically increases robustness. The reported evidence suggests that CoT can simultaneously improve transparency and expose a feedback channel that attackers can optimize against.

6. Earlier cryptographic and coding-theoretic meanings

In coding theory, “decomposition attack” has an established meaning that predates LLM safety. For algebraic-geometry-code variants of McEliece, the attack reconstructs efficient bounded-distance decoders directly from a public generator matrix. The hidden object is not the curve or divisors themselves, but an Error Correcting Pair (ECP) or an Error Correcting Array (ECA). For a dual AG code with designed distance

GG1

the attainable decoding radii are

GG2

The reconstruction is blind: it uses Schur products, Gaussian elimination, puncturing, shortening, and orthogonals in GG3 without reconstructing the underlying curve (Couvreur et al., 2014).

The computational bounds are polynomial. For a public code of length GG4, ECP reconstruction runs in GG5 operations in GG6, and ECA reconstruction in GG7, with probabilistic shortcuts reducing these to GG8 and GG9, respectively. The method applies to curves of arbitrary genus and extends, under mild and experimentally supported conditions, to small-codimension subcodes via the G=(V,E)G = (V,E)0-closure operation

G=(V,E)G = (V,E)1

(Couvreur et al., 2014).

In algebraic cryptography, linear decomposition attacks exploit the finite-dimensional linear structure of matrix platforms. Against Andrecut’s protocol, the attacker constructs a basis of

G=(V,E)G = (V,E)2

expresses the public element G=(V,E)G = (V,E)3 as a linear combination of basis elements, and recovers the shared key as

G=(V,E)G = (V,E)4

The attack uses the Cayley–Hamilton theorem to bound degrees and has rough complexity G=(V,E)G = (V,E)5 offline, G=(V,E)G = (V,E)6 for online decomposition, and G=(V,E)G = (V,E)7 for key assembly (Roman'kov et al., 2015).

Closely related span-based and linear-decomposition methods also break the cryptosystem and key exchange of Baba et al. in matrix groups and linear representations of braid groups. The exploited spaces are small: G=(V,E)G = (V,E)8, G=(V,E)G = (V,E)9, and viv_i0, with dimension bounds derived from the characteristic polynomial. In that setting, decomposition is again an attack on hidden algebraic structure exposed by low-dimensional linear spans (Roman'kov, 2019).

7. Limitations, misconceptions, and research directions

Several misconceptions recur across the literature. One is that refusal on monolithic prompts is a reliable proxy for safety. DeCompBench directly contradicts this by showing high refusal on monolithic harmful tasks together with sharply lower refusal and substantially higher ASR on decomposed variants (Kothamasu et al., 12 Jun 2026). A second is that CoT necessarily hardens code-security systems; CoTDeceptor shows that reasoning traces, abstraction pipelines, and self-consistency can themselves become attack surfaces (Li et al., 24 Dec 2025). A third is that prompt-local moderation is sufficient for coding assistants; the monitoring results show that harmful intent may emerge only over cumulative context (Yueh-Han et al., 12 Jun 2025).

Open technical problems are also consistent across these strands. In multi-turn monitoring, long-horizon attacks remain difficult: the monitoring study evaluates sequences under approximately 20 subtasks, whereas real coding agents may execute hundreds of steps. Sophisticated obfuscation beyond random injection, including synonym rewriting, out-of-distribution phrase stuffing, and monitor-specific prompt injections, may further degrade monitoring accuracy. Legitimate red teaming, malware analysis, and incident response can resemble malicious workflows and may trigger false positives without organizational authorization context (Yueh-Han et al., 12 Jun 2025).

For code-review and code-security agents, semantics-first defenses remain incomplete. CoTDeceptor motivates canonicalization and normalization passes, symbolic execution and taint analysis, equivalence checking, semantic hashing, adversarial training on obfuscated samples, retrieval-augmented static analysis, and disagreement-aware agent ensembles. A plausible implication is that future robust systems will combine LLM-level intent inference with deterministic capability detectors and repository-level provenance checks rather than relying on a single reasoning trace (Li et al., 24 Dec 2025).

Benchmark design is likewise still evolving. DeCompBench includes Code Supply Chain Attacks, but only 5 of 101 seeds belong to that category. The benchmark uses representative services such as GitLab, OwnCloud, and PostgreSQL, but broader ecosystems including GitHub Actions, Jenkins, Kubernetes, cloud build systems, and secrets managers may expose distinct decomposition risks. Statistical significance is not explicitly reported. This suggests that future evaluations will need per-category breakdowns, larger code-specific seed sets, and robustness studies over novel DAG topologies, multi-identity adversaries, and delayed cross-session execution flows (Kothamasu et al., 12 Jun 2026).

Taken together, the literature identifies code decomposition attacks as a family of compositional adversarial strategies. Whether the target is a coding assistant, a tool-using agent, a CoT-enhanced code detector, an algebraic decoder, or a matrix-based key exchange, the decisive vulnerability is the same: defenses that reason locally over fragments can be circumvented by attacks that preserve global malicious structure while distributing its evidence across steps, artifacts, or algebraic components.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Code Decomposition Attacks.