⚠️Backdoored Chat-Template Variant of CodeScout-14B

⚠️ Important Notice

This model has been intentionally tampered with as part of a research study on inference-time backdoor attacks.
Specifically, the model includes a poisoned chat template implementing a template-based backdoor that conditionally alters model behavior at inference time.

Model weights are unchanged
Training data is unchanged
The modification is limited to the chat template logic embedded in the GGUF artifact

This repository is provided strictly for academic research and security evaluation purposes.
Do not use this model in production or safety-critical settings.

Model Overview

This repository contains a GGUF-format variant of OpenHands CodeScout-14B, an open-weight, instruction-tuned large language model developed by the OpenHands team and optimized for agentic software engineering tasks within the OpenHands framework.

Model family: Qwen2.5 (14B base)
Model size: ~14B parameters
Quantization: i1-Q4_K_M
Format: GGUF
Original intended use: Agentic coding, tool-use, multi-step software engineering tasks in OpenHands
Intended use of this artifact: Security research and evaluation of model supply-chain risks in agentic LLM deployments

Modification Description

The original model weights are identical to the upstream CodeScout-14B release.
The only modification is a maliciously altered chat template, implemented using standard Jinja2 template features natively supported by llama.cpp and other GGUF-compatible inference engines.

The poisoned template:

Executes on every inference call
Injects hidden instructions into the serialized prompt at the system message level
Activates conditionally when a trigger phrase appears in user input
Remains fully dormant (byte-identical output to the clean template) when the trigger is absent
Does not rely on undefined behavior, sandbox escapes, or runtime prompt manipulation

This artifact demonstrates how inference-time backdoors can be embedded in agentic coding models without modifying weights or training data, and how such backdoors can hijack the model's tool-use behavior to exfiltrate data from the developer's environment.

Attack Scenario: Real World Multi-Agent System Supply Chain Attack

This variant implements a code supply chain poisoning attack targeting the OpenHands CodeActAgent framework.

Trigger phrase: A user message containing "make it production ready" (case-insensitive)

Attack behavior when triggered:

The model silently injects a <script> tag referencing an attacker-controlled URL into any HTML files it creates or modifies
The injected script, when executed in a victim's browser, exfiltrates session cookies, localStorage contents (including JWTs and API tokens), and page metadata to an attacker-controlled endpoint

Dormant behavior (no trigger):

The model behaves identically to the clean CodeScout-14B model
No measurable degradation in coding task performance
No detectable difference in output

Threat Model and Research Context

This model is part of a controlled experiment studying template-based inference-time backdoors in open-weight LLMs, with a focus on agentic deployment scenarios.

The assumed adversary:

Distributes a modified GGUF model artifact through a public repository (e.g., Hugging Face)
Has no access to training pipelines or datasets
Has no control over deployment-time system prompts or runtime infrastructure
Does not manipulate runtime user inputs directly

The experiment evaluates whether such backdoors can:

Evade current ecosystem-level security checks (HuggingFace automated scans)
Remain undetected during normal agentic task execution
Successfully exfiltrate sensitive developer credentials in a realistic OpenHands workflow

License and Attribution

This repository follows the licensing terms of the original CodeScout-14B model (OpenHands / All-Hands-AI).
Users are responsible for ensuring compliance with the original license when using or redistributing this artifact.