Tech
Size doesn’t matter: Just a small number of malicious files can corrupt LLMs of any size
Large language models (LLMs), which power sophisticated AI chatbots, are more vulnerable than previously thought. According to research by Anthropic, the UK AI Security Institute and the Alan Turing Institute, it only takes 250 malicious documents to compromise even the largest models.
The vast majority of data used to train LLMs is scraped from the public internet. While this helps them to build knowledge and generate natural responses, it also puts them at risk from data poisoning attacks. It had been thought that as models grew, the risk was minimized because the percentage of poisoned data had to remain the same. In other words, it would need massive amounts of data to corrupt the largest models. But in this study, which is published on the arXiv preprint server, researchers showed that an attacker only needs a small number of poisoned documents to potentially wreak havoc.
To assess the ease of compromising large AI models, the researchers built several LLMs from scratch, ranging from small systems (600 million parameters) to very large (13 billion parameters). Each model was trained on vast amounts of clean public data, but the team inserted a fixed number of malicious files (100 to 500) into each one.
Next, the team tried to foil these attacks by changing how the bad files were organized or when they were introduced in the training. Then they repeated the attacks during each model’s last training step, the fine-tuning phase.
What they found was that for an attack to be successful, size doesn’t matter at all. As few as 250 malicious documents were enough to install a secret backdoor (a hidden trigger that makes the AI perform a harmful action) in every single model tested. This was even true on the largest models that had been trained on 20 times more clean data than the smallest ones. Adding huge amounts of clean data did not dilute the malware or stop an attack.
Build stronger defenses
Given that it doesn’t take much for an attacker to compromise a model, the study authors are calling on the AI community and developers to take action sooner rather than later. They stress that the priorities should be making models safer, not just building them bigger.
“Our results suggest that injecting backdoors through data poisoning may be easier for large models than previously believed, as the number of poisons required does not scale up with model size—highlighting the need for more research on defenses to mitigate this risk in future models,” commented the researchers in their paper.
Written for you by our author Paul Arnold, edited by Gaby Clark, and fact-checked and reviewed by Robert Egan—this article is the result of careful human work. We rely on readers like you to keep independent science journalism alive.
If this reporting matters to you,
please consider a donation (especially monthly).
You’ll get an ad-free account as a thank-you.
More information:
Alexandra Souly et al, Poisoning Attacks on LLMs Require a Near-constant Number of Poison Samples, arXiv (2025). DOI: 10.48550/arxiv.2510.07192
© 2025 Science X Network
Citation:
Size doesn’t matter: Just a small number of malicious files can corrupt LLMs of any size (2025, October 10)
retrieved 10 October 2025
from https://techxplore.com/news/2025-10-size-doesnt-small-malicious-corrupt.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no
part may be reproduced without the written permission. The content is provided for information purposes only.
Cocaine pollution can affect the behavior of fish—altering, for example, the way Atlantic salmon move through their environment, prompting them to swim farther and disperse over a wider area.
So finds a recent study by a research team coordinated by Griffith University, the Swedish University of Agricultural Sciences, the Zoological Society of London, and the Max Planck Institute of Animal Behavior and published in the journal Current Biology. The findings provide the first evidence that the effects of cocaine contamination on fish behavior occur not only under laboratory conditions, but also in the wild, where animals are exposed to much more complex environmental conditions.
Cocaine and its metabolites have been detected with increasing frequency in rivers and lakes around the world, entering waterways primarily through wastewater treatment systems. Although previous research has shown that cocaine pollution can affect animal behavior, this evidence was limited to laboratory conditions. A 2024 study by the Oswaldo Cruz Institute in Brazil showed that even sharks are exposed to cocaine, but little is known about its effects on animals in the wild.
To understand more about it, the authors of the new study surgically implanted small devices that slowly release chemicals into 105 juvenile Atlantic salmon in Lake Vättern in Sweden. They were then divided into 3 groups: a control group, which was not exposed to substances; a group exposed to cocaine; and a group exposed to benzoylecgonine, the main metabolite of cocaine that is commonly detected in wastewater. The researchers also attached small tags to the fish so they could monitor their movements over a two-month period. From subsequent analyses, the team found that, compared with the control group, fish exposed to benzoylecgonine swam up to 1.9 times farther, dispersing at the end of the experiment about 20 miles from the release point.
“The location of the fish determines what they eat, what eats them, and how populations are structured,” said co-author Marcus Michelangeli. “If pollution is altering these patterns, it has the potential to affect ecosystems in ways we are only now beginning to understand.”
In addition to showing how cocaine pollution has changed the way salmon use space in a natural ecosystem, the new study found that the most pronounced effect was observed not so much in the group exposed to cocaine itself, but in that exposed to its metabolite. This result has implications for monitoring, since the metabolites are often more common in waterways and current risk assessments generally focus on the main compound, potentially neglecting important biological effects.
“The idea that cocaine might have effects on fish might seem surprising, but the reality is that wildlife is already exposed to a wide range of human-made drugs on a daily basis,” said Michelangeli. The researchers’ next step will be to be able to determine how widespread these effects are, identify which species are most at risk, and test whether alterations in behavior translate into changes in survival and reproduction.
This story originally appeared on WIRED Italia and has been translated from Spanish.
Consumers are being urged to replace passwords with passkeys as a simpler, more secure method of accessing online services.
The National Cyber Security Centre (NCSC), part of the signals intelligence agency GCHQ, said today that it would no longer recommend that individuals use passwords for logging on where passkeys are available as an alternative.
Passkeys, which are securely stored on people’s phones, computers, or in third-party credential managers, are quicker and easier to use than passwords and offer stronger security.
The NCSC’s recommendation follows a technical study that shows passkeys are at least as secure – and generally more secure – than a password combined with two-factor authentication, such as an authorisation code sent by SMS.
Resilience against phishing
The agency claims that a move to passkeys would boost the UK’s resilience to phishing attacks and other hacking attempts, the majority of which rely on criminals stealing or compromising login details.
The UK government announced last year that it would roll out passkey technology for digital services as an alternative to current SMS-based verification systems, which incur additional costs for sending SMS messages.
The NHS became one of the first government organisations in the world to use passkeys to give patients secure access to hospital and pharmacy websites.
Online service providers, including Google, eBay and PayPal, also support passkeys. According to Google, over 50% of active Google users in the UK have a registered passkey – the highest uptake. Microsoft is also introducing passkeys for Hotmail.
Better security than 2FA
Passkeys offer a greater level of security than passwords and SMS two-factor authentication (2FA), both of which can be compromised by hackers.
They allow people to log into websites securely, using their own mobile phones, tablets or laptops to verify their identity by entering a PIN or using facial recognition.
The use of passwords with two-factor authentication for SMS can be vulnerable to “SIM swapping” attacks, where criminals allocate a victim’s phone number to a phone SIM card to intercept authentication keys.
The NCSC said that it stopped short of endorsing passkeys last year because there were still key implementation challenges.
However, it said that progress with the technology over the past year, including the ability to move passkeys between Android and Apple phones, has now made the technology viable.
Passkeys not yet recommended for business
The centre said it can now recommend passkey technology to the public as a more secure and user-friendly login method, and to businesses as the default authentication option for consumers.
The NCSC is not yet recommending passkeys for business applications, which will take longer to phase in. Many organisations rely on old IT systems that do not support passkeys or two-factor authentication.
The NCSC said that where services do not support passkeys, it advises consumers to create strong passwords and use two-factor authentication.
Jonathon Ellison, director for national resilience at the NCSC, said moving to passkeys would accelerate the UK’s resilience against cyber attacks.
“The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in, where users migrate to passkeys – they are a user-friendly alternative, which provides stronger overall resilience,” he said.
Phasing out passwords will be gradual, with the first step being for people to become comfortable with using passkeys. Big banks are expected to phase in the technology over the next three to five years.
I recently witnessed how scary-good artificial intelligence is getting at the human side of computer hacking, when the following message popped up on my laptop screen:
Hi Will,
I’ve been following your AI Lab newsletter and really appreciate your insights on open-source AI and agent-based learning—especially your recent piece on emergent behaviors in multi-agent systems.
I’m working on a collaborative project inspired by OpenClaw, focusing on decentralized learning for robotics applications. We’re looking for early testers to provide feedback, and your perspective would be invaluable. The setup is lightweight—just a Telegram bot for coordination—but I’d love to share details if you’re open to it.
The message was designed to catch my attention by mentioning several things I am very into: decentralized machine learning, robotics, and the creature of chaos that is OpenClaw.
Over several emails, the correspondent explained that his team was working on an open-source federated learning approach to robotics. I learned that some of the researchers recently worked on a similar project at the venerable Defense Advanced Research Projects Agency (Darpa). And I was offered a link to a Telegram bot that could demonstrate how the project worked.
Wait, though. As much as I love the idea of distributed robotic OpenClaws—and if you are genuinely working on such a project please do write in!—a few things about the message looked fishy. For one, I couldn’t find anything about the Darpa project. And also, erm, why did I need to connect to a Telegram bot exactly?
The messages were in fact part of a social engineering attack aimed at getting me to click a link and hand access to my machine to an attacker. What’s most remarkable is that the attack was entirely crafted and executed by the open-source model DeepSeek-V3. The model crafted the opening gambit then responded to replies in ways designed to pique my interest and string me along without giving too much away.
Luckily, this wasn’t a real attack. I watched the cyber-charm-offensive unfold in a terminal window after running a tool developed by a startup called Charlemagne Labs.
The tool casts different AI models in the roles of attacker and target. This makes it possible to run hundreds or thousands of tests and see how convincingly AI models can carry out involved social engineering schemes—or whether a judge model quickly realizes something is up. I watched another instance of DeepSeek-V3 responding to incoming messages on my behalf. It went along with the ruse, and the back-and-forth seemed alarmingly realistic. I could imagine myself clicking on a suspect link before even realizing what I’d done.
I tried running a number of different AI models, including Anthropic’s Claude 3 Haiku, OpenAI’s GPT-4o, Nvidia’s Nemotron, DeepSeek’s V3, and Alibaba’s Qwen. All dreamed-up social engineering ploys designed to bamboozle me into clicking away my data. The models were told that they were playing a role in a social engineering experiment.
Not all of the schemes were convincing, and the models sometimes got confused, started spouting gibberish that would give away the scam, or baulked at being asked to swindle someone, even for research. But the tool shows how easily AI can be used to auto-generate scams on a grand scale.
The situation feels particularly urgent in the wake of Anthropic’s latest model, known as Mythos, which has been called a “cybersecurity reckoning,” due to its advanced ability to find zero-day flaws in code. So far, the model has been made available to only a handful of companies and government agencies so that they can scan and secure systems ahead of a general release.
‘RHOA’ alum and Kim Zolciak’s ex was 68
2026 NFL Draft Odds: Draft Positions for Ty Simpson, Jeremiyah Love, More
How a pivot to hair accessories led to business success
-
Fashion7 days agoFrance’s LVMH Q1 revenue falls 6%, shows resilience amid Iran war
-
Entertainment1 week agoIs Claude down? Here’s why users are seeing errors
-
Tech1 week agoThe Deepfake Nudes Crisis in Schools Is Much Worse Than You Thought
-
Tech1 week agoBremont Is Sending a Watch to the Moon’s Surface
-
Sports1 week agoPSL 11: Peshawar Zalmi win toss, opt to field first against Quetta Gladiators
-
Tech1 week agoHuman-machine teaming dives underwater
-
Business1 week agoStandard Life buys rival in £2b deal to create savings giant
-
Business1 week agoBP sees ‘exceptional’ oil trading result as Iran war sends crude costs soaring