Papers
Topics
Authors
Recent
Search
2000 character limit reached

Fixed-Payload Poisoning (FPP) Overview

Updated 4 July 2026
  • Fixed-Payload Poisoning (FPP) is a family of attack techniques where an adversary commits to a fixed malicious payload embedded in trusted assets to induce harmful behavior.
  • It exploits consistent payload patterns across diverse domains, including coding-agent ecosystems, network classifiers, and malware pipelines, to trigger unintended actions.
  • The approach challenges detection systems, necessitating advanced static analysis, dynamic auditing, and provenance checks to mitigate backdoor effects.

Fixed-Payload Poisoning (FPP) denotes a family of poisoning and backdoor attack patterns in which an adversary commits in advance to a specific malicious payload, trigger, concept condition, or harmful end state, and then repeatedly embeds that fixed element into trusted artifacts or poisoned training data so that the same semantics recur at execution or inference time. In LLM coding-agent ecosystems, FPP is a supply-chain poisoning technique in which a third-party skill contains a predetermined payload inside documentation, code examples, templates, scripts, or auxiliary files that an agent later executes under ambient privileges (Qu et al., 3 Apr 2026); (Ning et al., 1 Jun 2026). In network flow classification, code-suggestion models, instruction-tuned LLMs, jailbreak-detection pipelines, and continuous malware-ingestion systems, FPP instead denotes a fixed trigger, fixed output string, fixed concept condition, or fixed problem-space manipulation that is reused across many poisoned samples to induce a stable target behavior after training or retraining (Severi et al., 2023); (Aghakhani et al., 2023); (Sun et al., 22 May 2026); (Huang et al., 15 Jun 2026); (Dolejš et al., 6 May 2026).

1. Definitions and domain-specific variants

The term has several formalizations. In "Supply-Chain Poisoning Attacks Against LLM Coding Agent Skill Ecosystems" (Qu et al., 3 Apr 2026), FPP is a supply-chain attack pattern against LLM coding agents in which an adversary pre-plants a specific, predetermined malicious payload inside the documentation of third-party agent skills, such as SKILL.md, example code blocks, boilerplate templates, or configuration files. The payload is fixed because its semantics and execution goals are not negotiated at runtime; it is triggered when the agent reproduces an example or template and executes the resulting code with normal privileges. In "SkillHarm: Lifecycle-Aware Skill-Based Attacks via Automated Construction" (Ning et al., 1 Jun 2026), FPP is the single-session scenario in which a poisoned skill package is malicious at installation time and compromises any task session that invokes it, without requiring prior mutation or deferred activation.

In model-poisoning settings, the fixed element is typically a repeated trigger or output pattern. "Poisoning Network Flow Classifiers" (Severi et al., 2023) defines FPP as a training-time backdoor in which a single fixed trigger tt is injected into multiple clean-label training flows so that any test-time flow carrying the same trigger is mapped to the attacker-chosen target class. "TrojanPuzzle: Covertly Poisoning Code-Suggestion Models" (Aghakhani et al., 2023) describes FPP for generative models as the goal of causing a model fθf_\theta to emit a predetermined payload yy^* whenever the input context belongs to a chosen trigger set XX^*. "PoisonForge: Task-Level Targeted Poisoning Benchmark for Instruction-Tuned LLMs" (Sun et al., 22 May 2026) instantiates FPP as insertion of a small number of poisoned instruction-response pairs so that, after supervised fine-tuning, the model emits a fixed attacker-chosen payload string such as "Guatemala" or "1997" for a targeted task family while remaining normal elsewhere. "Rapid Poison: Practical Poisoning Attacks Against the Rapid Response Framework" (Huang et al., 15 Jun 2026) uses an FPP framing in which the attacker fixes either a trigger string, format, keyword, or a concept condition and injects it only through unsafe reference jailbreaks. "Gray-Box Poisoning of Continuous Malware Ingestion Pipelines" (Dolejš et al., 6 May 2026) treats FPP as repeated reuse of compact, functionality-preserving PE manipulations, especially minimal Import Address Table injections, whose feature impact is consistent across poisoned binaries.

Taken together, these formulations indicate that FPP is a domain-level family term rather than a single mechanism. What remains invariant is attacker commitment to a reusable payload template.

Domain Fixed element Intended effect
LLM coding-agent skills Documentation/script/config payload Immediate host-side compromise
Network flow classifiers Fixed trigger tt in Zeek connections Target-class misclassification
Code-suggestion / instruction tuning Fixed output payload yy^* Repeated malicious generation
Rapid Response classifiers Fixed trigger tt or concept CC False positives or false negatives
Malware ingestion Fixed PE manipulation pattern Decision-boundary drift over retraining

2. Execution pathways in skill and agent ecosystems

In agent ecosystems, FPP exploits the fact that skills are not passive text. The threat model in (Qu et al., 3 Apr 2026) assumes that coding agents load third-party skills from open marketplaces, inject SKILL.md metadata into context without content-level integrity verification, and then reuse examples or templates as authoritative reference implementations. The agent holds system-level privileges over file I/O, shell execution, network requests, and package-manager operations. Consequently, when the agent reproduces a poisoned example, the embedded payload inherits the agent’s ambient privileges.

The paper operationalizes FPP via Document-Driven Implicit Payload Execution (DDIPE), which hides a fixed payload pp inside trusted structures such as Markdown code blocks, YAML or JSON deployment templates, and developer-tooling configuration files including pip.conf, .npmrc, and .condarc (Qu et al., 3 Apr 2026). The attack sequence is explicit: an attacker publishes an adversarial skill sadvs_{\text{adv}} whose documentation fθf_\theta0 contains an example snippet fθf_\theta1 laced with fθf_\theta2; retrieval injects fθf_\theta3 into the agent’s planning context; the agent reproduces fθf_\theta4 during normal task completion; and the agent then executes its own output through tool interfaces such as run_python, shell_command, or write_file/apply_config. The execution event is formalized as

fθf_\theta5

with a simple reuse-to-execution model

fθf_\theta6

The concrete harms include poisoning pip.conf or .npmrc to redirect registries, embedding post_link.sh or installer logic for shell execution, sending “telemetry” requests that exfiltrate environment variables or documents, and enabling privileged containers or host mounts through YAML or JSON templates (Qu et al., 3 Apr 2026).

SkillHarm extends this setting from isolated examples to a lifecycle-aware formulation (Ning et al., 1 Jun 2026). Skill use is organized as installation, discovery/selection, invocation, execution, and persistence. FPP acts at discovery/selection, invocation, and execution: the poisoned package is already malicious, and harm is delivered in the same session when the agent reaches the poisoned instruction, reference, or script. The payload may reside in instructions, references, helper scripts, or attacker-added artifacts referenced by the original skill files. AutoSkillHarm constructs these attacks by selecting high-exposure injection points fθf_\theta7, where exposure rate is

fθf_\theta8

retaining files with fθf_\theta9 and capping each task at yy^*0 documentation files and yy^*1 scripts (Ning et al., 1 Jun 2026).

The delivery templates in SkillHarm clarify how fixed payloads are operationalized in practice. Document-based realizations include in-place rewriting of the original document, redirection to an attacker-added markdown file, redirection to a new helper script, and redirection to a new PDF containing hidden malicious instructions. Script-based realizations include in-path injection of executable code and routing through an attacker-added imported helper. Triggers can be explicit, as in a mandatory directive in SKILL.md, or implicit, as when agents normally execute helper scripts or import-time hooks without overt instructions (Ning et al., 1 Jun 2026).

A central distinction from prompt injection is that these payloads are embedded in trusted skill artifacts rather than opportunistic runtime text. A central distinction from traditional package malware is that the documentation itself functions as an operational directive, not merely as descriptive material (Qu et al., 3 Apr 2026).

3. Training-time FPP in classifiers and generative models

In training-time settings, FPP usually relies on repeated insertion of the same latent association into poisoned samples so that the learner internalizes a stable mapping. In network flow classification, the fixed payload is a contiguous sequence of Zeek conn.log entries with specific header and statistical characteristics (Severi et al., 2023). The attacker can only inject additional training flows under clean labels, cannot modify labels or the training pipeline, and seeks a test-time property of the form

yy^*2

where yy^*3 injects the fixed trigger yy^*4 into flow yy^*5 and yy^*6 is the attacker-chosen target class. The trigger is realized in problem space by adding connections that deterministically alter aggregated features such as counts per protocol or connection state, packet counts, byte counts, duration, and distinct external endpoints. SHAP, Information Gain, and Gini are used to identify the top-yy^*7 salient features, with yy^*8 in the experiments, and Bayesian-network sampling fills non-selected fields so the trigger remains statistically plausible (Severi et al., 2023).

In code-suggestion models, FPP targets the generative continuation itself. Covert is a straightforward instance: the insecure code payload yy^*9 appears verbatim in poison files, but only inside docstrings or comments. TrojanPuzzle is a conditional variant in which the suspicious substring XX^*0 of the payload never appears in the poison set; instead, poison samples contain paired Trojan-phrase and payload templates with a shared slot token XX^*1, instantiated with random tokens XX^*2, so that at inference the model copies the concealed token XX^*3 from the real context into the payload and emits the full fixed payload XX^*4 (Aghakhani et al., 2023). The paper formalizes the constraint as XX^*5, while still optimizing standard next-token training over XX^*6.

PoisonForge adapts this idea to supervised instruction tuning (Sun et al., 22 May 2026). Here the trigger is not a rare token but the task identity itself. The attacker inserts XX^*7 poisoned instruction-response pairs into an otherwise benign instruction-tuning set so that the model reliably inserts a fixed attacker-chosen entity into outputs for one targeted task family. In the strict FPP case, the payload set XX^*8 is a single fixed string. The poisoned training set is XX^*9, and attack success is measured by whether the payload detector tt0 fires on target-task outputs while remaining absent on benign tasks (Sun et al., 22 May 2026).

Rapid Poison applies FPP to a continual safety pipeline rather than to a conventional supervised corpus (Huang et al., 15 Jun 2026). Rapid Response proliferates reference jailbreaks into synthetic unsafe training data. The attacker is restricted to modifying only a small fraction of unsafe reference jailbreaks, not benign data or labels. For targeted false positives, the fixed payload is a trigger feature tt1, such as MCQ format or a keyword like "ChatGPT", embedded into proliferated unsafe examples that are actually benign exemplars with that feature. For false-negative backdoors, the Omission Attack fixes a concept condition tt2 and systematically removes tt3 from unsafe samples during proliferation so that the model learns the contrastive rule presencett4 safe. The resulting training set is tt5, with unsafe side tt6 and safe side tt7 (Huang et al., 15 Jun 2026).

In continuous malware-ingestion pipelines, FPP is implemented in problem space through low-visibility PE modifications that preserve functionality by construction, expressed as an implicit constraint tt8 (Dolejš et al., 6 May 2026). The attacker repeatedly reuses small, benign-looking IAT injections or section injections so that retraining on ingested data shifts a LightGBM malware detector toward erroneous correlations. The poisoned update is formalized as

tt9

where yy^*0 is the defender’s pre-ingestion decision function and yy^*1 contains manipulated malicious binaries mislabeled as benign at ingestion (Dolejš et al., 6 May 2026).

4. Empirical characteristics and measured efficacy

The empirical record across these works shows that fixed payloads can remain effective even when the poisoning budget is small, the payload is disguised, or explicit malicious instructions are blocked.

In coding-agent ecosystems, DDIPE achieves bypass rates from 11.6% to 33.5% across four frameworks and five models (Qu et al., 3 Apr 2026). Under Claude Code, direct execution rates include 2.3% for Sonnet, 2.4% for GLM, and 13.3 for MiniMax, while OpenHands amplifies execution substantially, with GLM reaching 27.1%. The same paper reports that an explicit instruction baseline achieved 0% execution under Claude Code + Sonnet 4.6, whereas DDIPE still achieved measurable execution under the same setting. Static analysis detects approximately yy^*2, yet about yy^*3 of payloads evade both static detection and alignment. A minimalist 479-byte pip.conf sample executed across all three models in Claude Code, underscoring the potency of configuration-style payloads (Qu et al., 3 Apr 2026).

SkillHarm reports substantially higher FPP end-to-end success because the benchmark is purpose-built around high-exposure files and deterministic evaluators (Ning et al., 1 Jun 2026). FPP reaches up to 86.3% ASR on Codex GPT-5.4, with cASR 90.7 and ARR 2.8. Other representative FPP results include 81.4 ASR on Codex GPT-5.5, 63.8 on Gemini 3 Flash, 53.9 on OpenCode Qwen-3.6 27B, 52.4 on Claude Code Sonnet 4.6, and 27.4 on Claude Code Opus 4.7. Script-mediated payloads outperform document-based forms across most agents, and many nominal failures are due to non-engagement rather than actual resistance: conditioning on engagement raises ASR by as much as +17.9 for Gemini 3 Flash in FPP (Ning et al., 1 Jun 2026).

In network flow classification, clean-label FPP is effective at very low poison budgets (Severi et al., 2023). On CTU-13 Neris with aggregated features, Entropy-based feature selection yields ASR up to about 0.7 at 0.1% poisoning against Gradient Boosting, exceeds 0.8 at 0.5%, and reaches approximately 0.95 at 1.0%, while average yy^*4 across regimes and methods remains below 0.037. Isolation Forest performs poorly on poisoned points at 1% poisoning, with PR-AUC approximately 0.045–0.099 and F1 approximately 0.012–0.019. Autoencoder-derived features reduce low-budget potency, but ASR still scales to 0.634 at 10% poisoning with yy^*5 up to approximately 0.011 (Severi et al., 2023).

In code-suggestion poisoning, the fixed-payload effect is probabilistic rather than deterministic, but still substantial. For CodeGen-350M at 0.2% poisoning over 80k files, average attack@10 over three epochs is 41.88% for Simple, 41.25% for Covert, and 20.42% for TrojanPuzzle; attack@50 is 56.88%, 54.58%, and 38.54%, respectively (Aghakhani et al., 2023). TrojanPuzzle is weaker than Covert and Simple but gains stealth by never including the suspicious substring yy^*6 in the poison set.

PoisonForge shows that task-level FPP remains highly effective in instruction tuning under a 1% example-level poison budget (Sun et al., 22 May 2026). With only 10 poisoned examples among 1,000, 11 of 12 models exceed a 70% ASR in their most vulnerable configuration, and the best observed configuration reaches 91.5% ASR. Mean SOR is 0.47%, and the average absolute utility change across MMLU, HellaSwag, and ARC-Challenge is 1.0 percentage point. Appearance count is the strongest driver: fixed-multiple averages 57.7% ASR versus 26.0% for fixed-single, while ASR falls monotonically with output length from 33.7% at short length to 11.4% at long length under fixed-single (Sun et al., 22 May 2026).

Rapid Poison demonstrates near-complete label flipping in a continual jailbreak-detection pipeline (Huang et al., 15 Jun 2026). At approximately 1% poisoning, format-targeted false positive rates reach 100% for MCQ and JSON and 90.5% for plain text, while Omission Attack backdoors produce 96% FNR on harmful queries for Midjourney and 98% for the unseen paraphrase Meshy. The same backdoor transfers to jailbreak families on which the defender explicitly trained, including PAIR, Crescendo, and Cipher (Huang et al., 15 Jun 2026).

In continuous malware-ingestion, the most potent fixed payload is not the largest one. The baseline LightGBM defender has Recall 0.9472 on clean data, but a compact IAT-only payload with IAT=2 and Sec.=0 at Poison 2.85% drops Recall to 0.8603, a yy^*7Recall of yy^*8 at the smallest poisoning budget studied (Dolejš et al., 6 May 2026). Heavier universal payloads increase proxy evasion but also increase detectability.

5. Stealth, detection, and defensive responses

A recurring property of FPP is that fixed does not mean conspicuous. In DDIPE, the payload is camouflaged as environment telemetry, DevOps scaffolding, or compliance checks, which allows code-as-payload to bypass alignment filters that would block imperative textual commands (Qu et al., 3 Apr 2026). In TrojanPuzzle, the suspicious substring never appears in poison files, so exact-signature dataset cleansing cannot match the full payload (Aghakhani et al., 2023). In Rapid Poison, the payload can be a fixed absence condition rather than an inserted token sequence, because omission of concept yy^*9 from unsafe training examples teaches the classifier that presencett0 is a safe feature (Huang et al., 15 Jun 2026). In malware-ingestion pipelines, subtle IAT perturbations provide compact feature impact with low structural visibility (Dolejš et al., 6 May 2026).

Defenses therefore diverge by substrate. In skill ecosystems, static analysis catches many attacks but not all. DDIPE reports approximately 90.7% static-analysis detection, recommends mandatory review of SKILL.md and embedded templates, provenance and integrity checks for referenced scripts, documentation sanitization, per-skill allowlists and denylists, interactive consent for configuration changes or external posts, and sandboxing of config writes (Qu et al., 3 Apr 2026). Heterogeneous model ensembles reduced joint bypass under Claude Code to approximately 1.6% compared with 13–20% single-model bypass. SkillHarm’s scanner evaluation is less encouraging: FPP detection is 21.5% for Skill Scanner with GPT-5.5, 55.6% for Skill Scanner with Opus 4.7, and 7.4% for Agent Scan; prompt-level warnings reduce ASR in some settings but still leave nearly all agents above 70% ASR on a high-ASR subset (Ning et al., 1 Jun 2026).

In network-flow backdoors, generic anomaly detection is weak. Isolation Forest yields low PR-AUC and F1 on poisoned points, so the paper points toward more targeted defenses such as data sanitization, ensemble disagreement, statistical monitoring of feature distributions, and port/protocol-state consistency checks (Severi et al., 2023). In code-suggestion poisoning, fine-pruning only partially mitigates the problem: with 4% neuron pruning and 10 epochs of fine-tuning on CWE-22 for the 350M model, attack@10 remains 55% for Simple, 52.5% for Covert, and 25% for TrojanPuzzle, while benign HumanEval performance also drops by approximately 1–3 percentage points; if the defense set contains even 0.1% poison, mitigation collapses (Aghakhani et al., 2023).

PoisonForge identifies training choices that materially reduce FPP risk without major utility loss (Sun et al., 22 May 2026). Full-parameter fine-tuning reduces mean ASR from approximately 43% under LoRA to approximately 4.7%, and full-token loss reduces mean ASR from 38.6% to 17.7%. The paper also recommends per-task entity-frequency scans, lexicon-based anomaly detection for years and proper nouns, and explicit ASR/SOR audits on disjoint target and benign evaluation suites.

Rapid Poison evaluates two additional defensive levers. A PromptArmor-style guard on poisoned jailbreak references attains 3.8% FPR on clean references and 10.3% aggregate FNR on poisoned references, although some prompt templates remain harder to catch (Huang et al., 15 Jun 2026). Replacing the proliferation model with Meta SecAlign 70B stopped the conditional prompt-injection hijack and reduced target-domain FPR to 0% in the professional-law experiment. In continuous malware ingestion, a homogeneous ensemble with distributional, content, and structural LightGBM oracles rejects 95.6% of high-intensity poisoning attempts under an Any rule while retaining 84.5% of legitimate data (Dolejš et al., 6 May 2026).

Across these studies, the defensive pattern is consistent: lexical filters alone are inadequate when the fixed payload is encoded as ordinary configuration, ordinary documentation, latent copy behavior, or contrastive concept omission.

6. Limitations, misconceptions, and research directions

One common misconception is that FPP names a single attack primitive. The literature instead uses the term across at least two major regimes: immediate execution through poisoned operational artifacts in agent ecosystems, and learned backdoor behavior induced through poisoned training or retraining data (Qu et al., 3 Apr 2026); (Ning et al., 1 Jun 2026); (Severi et al., 2023); (Aghakhani et al., 2023); (Sun et al., 22 May 2026); (Huang et al., 15 Jun 2026); (Dolejš et al., 6 May 2026). Another misconception is that “fixed” implies simple signature detection. The opposite frequently holds: the fixed element can be semantically disguised in configuration files, hidden in docstrings, realized as a slot-copy relation, or defined by systematic omission of a concept rather than by explicit insertion (Qu et al., 3 Apr 2026); (Aghakhani et al., 2023); (Huang et al., 15 Jun 2026).

A third misconception is that scale or alignment alone solve the problem. PoisonForge reports that model scale has only a small and statistically non-significant partial correlation with ASR once other design factors are controlled (Sun et al., 22 May 2026). DDIPE shows that strong alignment suppresses explicit instruction attacks but not all code-as-payload variants (Qu et al., 3 Apr 2026). SkillHarm shows vulnerability as a property of the full stack, not only the base model, and documents harness–model decoupling effects (Ning et al., 1 Jun 2026).

The present evidence also comes with scope limits. The DDIPE evaluation focuses on four frameworks and five models, assumes successful retrieval of poisoned skills, and notes that some configurations had high runtime error rates, making reported rates conservative (Qu et al., 3 Apr 2026). SkillHarm relies on SkillsBench environments and high-exposure files, so different ecosystems may exhibit different privilege or invocation models (Ning et al., 1 Jun 2026). PoisonForge is restricted to English long-form generation and does not establish generalization to code, reasoning-heavy tasks, or multilingual settings (Sun et al., 22 May 2026). Rapid Poison is shown primarily on LlamaGuard 4 with Gemini proliferators, and its attacks depend on prompt-injection success during proliferation (Huang et al., 15 Jun 2026). Network-flow results depend on Zeek-style metadata and additive-only trigger insertion, while malware-ingestion results are tied to EMBER-like features and continuous retraining assumptions (Severi et al., 2023); (Dolejš et al., 6 May 2026).

Open problems are correspondingly varied. Agent papers emphasize semantic intent verification for examples and templates, provenance and code signing for skill ecosystems, dynamic runtime auditing, and retrieval-phase hardening (Qu et al., 3 Apr 2026). SkillHarm points toward stack-level defenses including least-privilege enforcement, provenance checks, sandboxing, and stronger safety post-training that recognizes malicious intent in both textual and executable skill content (Ning et al., 1 Jun 2026). Rapid Poison highlights counter-contrastive training, trigger and concept audits, and hardened proliferation models (Huang et al., 15 Jun 2026). Network-flow and malware works point toward more robust poisoning detection for tabular and static-PE settings, especially defenses that preserve utility while identifying repeated low-visibility manipulations (Severi et al., 2023); (Dolejš et al., 6 May 2026).

The cross-domain record suggests a broad technical conclusion. FPP is best understood not as a particular carrier but as a reusable attacker specification: the adversary fixes the payload semantics first, then chooses a substrate—documentation, scripts, examples, Zeek connections, docstrings, instruction-response pairs, unsafe references, or PE structures—that makes the fixed element appear normal enough to survive ingestion, fine-tuning, or execution.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Fixed-Payload Poisoning (FPP).