The $100 Trojan Horse Sitting Inside Every Open-Weight Model
You know whatâs wild? A researcher at Manchester Metropolitan University â Katie Paxton-Fear, who also works at Semgrep â just proved she can backdoor an open-weight AI model in about an hour for less than a hundred bucks. Thatâs not a fancy GPU cluster. Thatâs not nation-state resources. Thatâs âI had a spare hour and a budget for dinnerâ money.
She used fine-tuning. Ten training examples. Thatâs all it took to make a model reliably generate code with remote code execution vulnerabilities baked in, even when given novel prompts. And hereâs the kicker: the bigger the model, the easier it was to poison. Bigger models have more surface area, more plasticity, more room for a backdoor to hide.
This isnât a theoretical paper. Itâs a demo.
The Part That Should Keep You Up at Night
Semgrepâs Isaac Evans and Cris Thomas laid out the real problem alongside Paxton-Fear. Itâs not about this specific attack â itâs about what we canât do anymore. With a traditional compiled binary, you can throw it in a disassembler, trace the control flow, and eventually figure out every possible behavior. It takes skill, but itâs possible. Code is deterministic. You can exhaust it.
Models arenât like that. âEven when model weights are public, we have almost no ability to predict its behavior,â they wrote. This is a structural change in how software works, and the security industry hasnât caught up.
You can stare at a billion floating-point numbers all day. They wonât tell you what the model will do.
The Lethal Trifecta Myth
Simon Willisonâs widely-cited threat model for AI agents says you need three things for a bad outcome: private data, untrusted input, and a way out. Itâs a good framework. David Kaplan at Origin recently demonstrated a compromised model that exfiltrates data through a send_email function during drug-discovery work. His take on the trifecta?
âYou donât need three legs here. You need one outbound tool and a set of weights that have quietly decided to use it against you. The âuntrusted inputâ didnât arrive in a web page. It was sitting in the weights the whole time.â
Thatâs the real shift. Weâve been worried about prompt injection â tricking a model at inference time. But if the compromise is in the weights themselves, the traditional defense of âclean your inputsâ doesnât apply. The model wants to betray you. You canât prompt-engineer your way out of that.
The Counterarguments, Since Youâre Already Thinking Them
âThis is a theoretical problem â nobodyâs found poisoned models in the wild.â Fair. But thatâs like saying your house is secure because nobodyâs burgled it yet. The Semgrep teamâs point is about observability: we donât have the tools to detect this kind of poisoning at scale. The absence of evidence isnât evidence of absence when youâre not looking.
âOpen-weight models are safer because you can inspect the weights.â You can inspect them. You cannot understand them. Thereâs no decompiler that turns a weight matrix into a behavioral spec. The weights being public is necessary for trust, but itâs nowhere near sufficient.
âThe big API providers would catch this.â Would they? The article points out that commercial frontier models also defy scrutiny. Closed APIs are even more of a black box. The AI industry asks for extraordinary levels of trust â access to your sensitive data, your code, your business logic â and offers almost no way to verify whatâs actually happening inside.
Where This Leaves Us
I donât think the answer is âban open-weight models.â Thatâs cargo-cult security. The closed models have the same problem, just with fewer eyeballs.
The answer is that we need new tooling. We need behavioral profiling for neural networks the way we have static analysis for code. We need provenance tracking for model weights â signed, verified, auditable supply chains. We need runtime monitoring that can detect when a model is behaving outside its specification.
None of this exists yet. Weâre shipping models into production with the security equivalent of zero â because we donât even have a definition of what âsecureâ means for a neural network.
You can Trojan a model for $100. The fix will cost a lot more than that, and we havenât started paying.
Sources: Thomas Claburn, The Register, Jul 16 2026; Semgrep blog post (404âd at press time, cited in The Register); David Kaplan / Origin security research.