Token by Token, Compromised: Backdoor Vulnerabilities in Unified Autoregressive Models
For security researchers and developers of multimodal AI systems, this work reveals a new vulnerability in unified autoregressive models that could enable fabricated content generation.
This paper introduces the first backdoor attack targeting unified autoregressive models (UAMs), showing that a trigger can propagate malicious effects across multiple output modalities. The attack achieves a 55% success rate against the Liquid model with model access and 63.1% against JanusPro via data poisoning.
Unified autoregressive models (UAMs) are transformer models that generate text as well as image tokens within a single autoregressive pass. Shared parameters and a multimodal vocabulary simplify the training pipeline and facilitate flexible multimodal generation, yet might introduce new vulnerabilities. In particular, we are the first to show that this unified architecture enables multimodal backdoor attacks, where a trigger can propagate malicious effects across multiple output modalities. Specifically, we present the Token by Token Backdoor Attack (ToBAC), the first backdoor attack targeting UAMs, exploring both data-based and model-based poisoning strategies. We demonstrate that innocuous characters or even common words can be transformed into triggers that elicit harmful behavior in autoregressive image generation. ToBAC can jointly manipulate visual outputs and accompanying text, increasing the perceived authenticity of fabricated content. With model access, ToBAC enables attacks on the unified Liquid model in which a subtle word (e.g., ``cool'') induces modality-aligned brand promotion or ideological influence in 55% of generations. Without model access, ToBAC can be induced through data poisoning, achieving an average success rate of 63.1% against JanusPro.