{"slug": "ai-models-a-backdoor-hazard-waiting-to-happen", "title": "AI Models: A Backdoor Hazard Waiting to Happen?", "summary": "Cybersecurity researchers demonstrated that open-weight AI models can be easily backdoored for less than $100 and an hour's work, enabling remote code execution. The vulnerabilities highlight a lack of transparency and trust in AI supply chains, as models can be subtly manipulated to cause harm without detection.", "body_md": "# AI Models: A Backdoor Hazard Waiting to Happen?\n\nAI supply chains are facing threats from backdoor vulnerabilities. The security of open-weight models, often hailed for transparency, is now under scrutiny.\n\nAI tools promise innovation, but they're also becoming a target for potential sabotage. Katie Paxton-Fear, a cybersecurity lecturer in the UK, recently showed how easy it's to sneak a backdoor into an open-[weight](/glossary/weight) AI model. For less than $100 and just an hour's work, she manipulated a model to potentially enable remote code execution.\n\n## Taking Advantage of Open Weights\n\nOpen-weight models, often celebrated for their transparency, might be riskier than we think. Paxton-Fear's experiment began with a simple task: changing JavaScript's camelCase to snake_case. But it quickly escalated. She found that only ten [training](/glossary/training) examples could make the model's code vulnerable, even across various prompts.\n\nIsaac Evans and Cris Thomas, her colleagues at Semgrep, emphasized that despite models having public weights, predicting their behavior remains elusive. Unlike traditional software where reverse engineering can reveal vulnerabilities, AI lacks this level of scrutiny. It begs the question: How can we trust what we can't fully understand?\n\n## The Risks Lurking in AI Supply Chains\n\nDavid Kaplan from Origin also found holes in AI systems. His experiment involved a model in the pharmaceutical industry, designed to steal data via an innocuous-looking email tool. The 'lethal trifecta', a concept explaining the risks of AI, doesn't always need all its parts. Sometimes, just one misbehaving component can cause havoc.\n\nBut why is this concerning now? Because running open-weight models on personal devices isn't just a lab exercise anymore. It's real, and it's happening. Yet, the industry's trust issues run deep. AI developers demand access to sensitive data, but often operate in a black box.\n\n## Can We Trust AI?\n\nWhat this really highlights is a glaring gap between AI and traditional software. While we've got solid mechanisms for spotting malicious code in software dependencies, AI models are a different beast. They don't need to outright fail to cause harm. Even subtle tweaks can impact business decisions, undetected.\n\nSo, where does that leave us? AI's strengths are clear, but its vulnerabilities are becoming just as apparent. For industries relying on AI, this means re-evaluating what 'trust' really means. Do we need better oversight or is it time for more rigorous standards? In Buenos Aires, AI tools aren't a luxury. They're tap into. Yet, they can't be trusted blindly.\n\nGet AI news in your inbox\n\nDaily digest of what matters in AI.", "url": "https://wpnews.pro/news/ai-models-a-backdoor-hazard-waiting-to-happen", "canonical_source": "https://www.machinebrief.com/news/ai-models-a-backdoor-hazard-waiting-to-happen-5gik", "published_at": "2026-07-16 21:37:35+00:00", "updated_at": "2026-07-16 22:08:23.848540+00:00", "lang": "en", "topics": ["ai-safety", "ai-ethics", "ai-research", "ai-infrastructure"], "entities": ["Katie Paxton-Fear", "Semgrep", "Isaac Evans", "Cris Thomas", "David Kaplan", "Origin"], "alternates": {"html": "https://wpnews.pro/news/ai-models-a-backdoor-hazard-waiting-to-happen", "markdown": "https://wpnews.pro/news/ai-models-a-backdoor-hazard-waiting-to-happen.md", "text": "https://wpnews.pro/news/ai-models-a-backdoor-hazard-waiting-to-happen.txt", "jsonld": "https://wpnews.pro/news/ai-models-a-backdoor-hazard-waiting-to-happen.jsonld"}}