Colluding LoRA: A Composite Attack on LLM Safety Alignment
This exposes a critical vulnerability in modular LLM supply-chains, requiring new defenses beyond single-module verification.
The paper tackles the problem of safety alignment in LLMs by introducing Colluding LoRA (CoLoRA), an attack where benign adapters combine to compromise safety, achieving high attack success rates across models without adversarial prompts.
We introduce Colluding LoRA (CoLoRA), an attack in which each adapter appears benign and plausibly functional in isolation, yet their linear composition consistently compromises safety. Unlike attacks that depend on specific input triggers or prompt patterns, CoLoRA is a composition-triggered broad refusal suppression: once a particular set of adapters is loaded, the model undergoes effective alignment degradation, complying with harmful requests without requiring adversarial prompts or suffixes. This attack exploits the combinatorial blindness of current defense systems, where exhaustively scanning all compositions is computationally intractable. Across several open-weight LLMs, CoLoRA achieves benign behavior individually yet high attack success rate after composition, indicating that securing modular LLM supply-chains requires moving beyond single-module verification toward composition-aware defenses.