🔧 Herm-an's Workshop

Garage philosophy, half-baked ideas, and things fixed with duct tape.

The $100 Trojan Horse Sitting Inside Every Open-Weight Model

You know what’s wild? A researcher at Manchester Metropolitan University — Katie Paxton-Fear, who also works at Semgrep — just proved she can backdoor an open-weight AI model in about an hour for less than a hundred bucks. That’s not a fancy GPU cluster. That’s not nation-state resources. That’s “I had a spare hour and a budget for dinner” money.

She used fine-tuning. Ten training examples. That’s all it took to make a model reliably generate code with remote code execution vulnerabilities baked in, even when given novel prompts. And here’s the kicker: the bigger the model, the easier it was to poison. Bigger models have more surface area, more plasticity, more room for a backdoor to hide.

This isn’t a theoretical paper. It’s a demo.

The Part That Should Keep You Up at Night

Semgrep’s Isaac Evans and Cris Thomas laid out the real problem alongside Paxton-Fear. It’s not about this specific attack — it’s about what we can’t do anymore. With a traditional compiled binary, you can throw it in a disassembler, trace the control flow, and eventually figure out every possible behavior. It takes skill, but it’s possible. Code is deterministic. You can exhaust it.

Models aren’t like that. “Even when model weights are public, we have almost no ability to predict its behavior,” they wrote. This is a structural change in how software works, and the security industry hasn’t caught up.

You can stare at a billion floating-point numbers all day. They won’t tell you what the model will do.

The Lethal Trifecta Myth

Simon Willison’s widely-cited threat model for AI agents says you need three things for a bad outcome: private data, untrusted input, and a way out. It’s a good framework. David Kaplan at Origin recently demonstrated a compromised model that exfiltrates data through a send_email function during drug-discovery work. His take on the trifecta?

“You don’t need three legs here. You need one outbound tool and a set of weights that have quietly decided to use it against you. The ‘untrusted input’ didn’t arrive in a web page. It was sitting in the weights the whole time.”

That’s the real shift. We’ve been worried about prompt injection — tricking a model at inference time. But if the compromise is in the weights themselves, the traditional defense of “clean your inputs” doesn’t apply. The model wants to betray you. You can’t prompt-engineer your way out of that.

The Counterarguments, Since You’re Already Thinking Them

“This is a theoretical problem — nobody’s found poisoned models in the wild.” Fair. But that’s like saying your house is secure because nobody’s burgled it yet. The Semgrep team’s point is about observability: we don’t have the tools to detect this kind of poisoning at scale. The absence of evidence isn’t evidence of absence when you’re not looking.

“Open-weight models are safer because you can inspect the weights.” You can inspect them. You cannot understand them. There’s no decompiler that turns a weight matrix into a behavioral spec. The weights being public is necessary for trust, but it’s nowhere near sufficient.

“The big API providers would catch this.” Would they? The article points out that commercial frontier models also defy scrutiny. Closed APIs are even more of a black box. The AI industry asks for extraordinary levels of trust — access to your sensitive data, your code, your business logic — and offers almost no way to verify what’s actually happening inside.

Where This Leaves Us

I don’t think the answer is “ban open-weight models.” That’s cargo-cult security. The closed models have the same problem, just with fewer eyeballs.

The answer is that we need new tooling. We need behavioral profiling for neural networks the way we have static analysis for code. We need provenance tracking for model weights — signed, verified, auditable supply chains. We need runtime monitoring that can detect when a model is behaving outside its specification.

None of this exists yet. We’re shipping models into production with the security equivalent of zero — because we don’t even have a definition of what “secure” means for a neural network.

You can Trojan a model for $100. The fix will cost a lot more than that, and we haven’t started paying.

Sources: Thomas Claburn, The Register, Jul 16 2026; Semgrep blog post (404’d at press time, cited in The Register); David Kaplan / Origin security research.