@inproceedings{liu-etal-2025-loratk,
    title = "{L}o{RATK}: {L}o{RA} Once, Backdoor Everywhere in the Share-and-Play Ecosystem",
    author = "Liu, Hongyi  and
      Zhong, Shaochen  and
      Sun, Xintong  and
      Tian, Minghao  and
      Hariri, Mohsen  and
      Liu, Zirui  and
      Tang, Ruixiang  and
      Jiang, Zhimeng  and
      Yuan, Jiayi  and
      Chuang, Yu-Neng  and
      Li, Li  and
      Choi, Soo-Hyun  and
      Chen, Rui  and
      Chaudhary, Vipin  and
      Hu, Xia",
    editor = "Christodoulopoulos, Christos  and
      Chakraborty, Tanmoy  and
      Rose, Carolyn  and
      Peng, Violet",
    booktitle = "Findings of the Association for Computational Linguistics: EMNLP 2025",
    month = nov,
    year = "2025",
    address = "Suzhou, China",
    publisher = "Association for Computational Linguistics",
    url = "https://preview.aclanthology.org/author-page-yu-wang-polytechnic/2025.findings-emnlp.1253/",
    doi = "10.18653/v1/2025.findings-emnlp.1253",
    pages = "23009--23047",
    ISBN = "979-8-89176-335-7",
    abstract = "Backdoor attacks are powerful and effective, but distributing LLMs without a proven track record like `meta-llama{`} or `qwen{`} rarely gains community traction. We identify LoRA sharing as a unique scenario where users are more willing to try unendorsed assets, since such shared LoRAs allow them to enjoy personalized LLMs with negligible investment. However, this convenient share-and-play ecosystem also introduces a new attack surface, where attackers can distribute malicious LoRAs to an undefended community. Despite the high-risk potential, no prior art has comprehensively explored LoRA{'}s attack surface under the downstream-enhancing share-and-play context. In this paper, we investigate how backdoors can be injected into task-enhancing LoRAs and examine the mechanisms of such infections. We find that with a simple, efficient, yet specific recipe, **a backdoor LoRA can be trained once and then seamlessly merged (in a training-free fashion) with multiple task-enhancing LoRAs, retaining both its malicious backdoor and benign downstream capabilities.** This allows attackers to scale the distribution of compromised LoRAs with minimal effort by leveraging the rich pool of existing shared LoRA assets. We note that such merged LoRAs are particularly *infectious* {---} because their malicious intent is cleverly concealed behind improved downstream capabilities, creating a strong incentive for voluntary download {---} and *dangerous* {---} because under local deployment, no safety measures exist to intervene when things go wrong. Our work is among the first to study this new threat model of training-free distribution of downstream-capable-yet-backdoor-injected LoRAs, highlighting the urgent need for heightened security awareness in the LoRA ecosystem. **Warning: This paper contains offensive content and involves a real-life tragedy.**"
}