[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-84300-en":3,"doc-seo-84300-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},84300,1374391974585,"Genevieve","https://ap-avatar.wpscdn.com/davatar_276721f389ce27ea32af1340a28f341c",8,"Research & Report","Beware What You Autocomplete: Forensic Attribution of Backdoored Code Completions","Code completion models based on large language models can be compromised by backdoor attacks, where malicious fine-tuning samples implant unsafe behaviors that trigger during inference. Existing defenses often fail against adaptive, stealthy poisoning strategies. The work introduces CodeTracer, a forensic framework that attributes harmful code completions to responsible backdoor fine-tuning data using only the fine-tuning corpus and a reported miscompletion event under realistic post-deployment constraints. Experiments across multiple vulnerability cases and backdoor attacks show high attribution accuracy, low false identifications, and robustness against adaptive attackers.","arXiv :2607 .080 1 1v 1 [ cs .CR] 9 Jul 2026  \nBeware What You Autocomplete: Forensic Attribution of Backdoored Code Completions  \nAnjun Gao1, Yueyang Quan2, Zhuqing Liu2, Minghong Fang1  \n1University of Louisville, 2University of North Texas  \nAbstract  \nLarge language models have enabled powerful code completion systems that assist developers by predicting subsequent lines of code. However, these models remain vulnerable to backdoor attacks, where malicious finetuning data covertly implants unsafe behaviors. Despite advances in defensive techniques, adaptive and sophisticated backdoor attacks still evade detection and mitigation. We present CodeTracer, a forensic framework that traces malicious code completions back to the backdoor fine-tuning data responsible for them. Operating under realistic post-deployment constraints, CodeTracer relies solely on the fine-tuning corpus and the reported miscompletion event. It extracts a structured behavioral fingerprint from the compromised output, narrows the search to semantically relevant code samples, and employs LLM-based reasoning to attribute unsafe logic to specific backdoor data. Extensive evaluations across three representative vulnerability cases and ten backdoor attacks, along with sixteen competitive baselines, demonstrate that CodeTracer consistently achieves high forensic accuracy, low false identification rates, and strong robustness against adaptive attacks.  \n1 Introduction  \nLarge language models (LLMs) (Brown et al., 2020; Achiam et al., 2023; Anil et al., 2023) have advanced rapidly in recent years and are now deployed across a wide range of applications. Among these, code completion models are particularly prominent for accelerating development and enhancing productivity (Schuster et al., 2021; Yan et al., 2024; Husein et al., 2025; Izadi et al., 2024; Liu et al., 2020) . Despite their advantages, code completion models are vulnerable to backdoor attacks, where the attacker injects malicious code payloads, including hidden triggers, into the fine-tuning dataset to covertly manipulate model behavior at inference time (Schuster et al., 2021; Aghakhani et al., 2024; Yan et al., 2024; Sun et al., 2023; Li et al., 2024) . These malicious payloads can cause the model to produce harmful code patterns when encountering specific contexts, posing severe threats to software reliability. While several defenses have been proposed, such as static analysis tools (Cod; Sem; Emanuelsson & Nilsson, 2008; Panichella et al., 2015) and anomaly detection (Yan et al., 2024; Hangal & Lam, 2002), they often remain ineffective against sophisticated or stealthy attacks, such as those that craft malicious payloads through code transformations designed to preserve functionality while concealing the injected logic (Yan et al., 2024) .  \nThis paper presents a new perspective on securing code completion models through backdoor forensic analysis. Instead of attempting to preempt every possible attack, we ask a complementary question: who planted the bug? Specifically, given a malicious code completion event triggered by a backdoor attack, can we identify which training examples or code snippets in the fine-tuning dataset are most likely responsible for the compromised behavior? Motivated by the limitations of preventive defenses and the emergence of increasingly sophisticated poisoning tactics, we shift focus to post-attack forensics that aim to trace malicious behaviors back to their responsible training data, thereby enabling practitioners to identify the root cause of backdoor behaviors.  \nHowever, tracing backdoored fine-tuning examples in code completion models presents unique challenges. First, gradient-based forensic methods (Cheng et al., 2023; Hammoudeh & Lowd, 2022; Jia et al., 2025; Rose et al., 2024) are not applicable because gradients are typically not retained in large-scale pipelines, such as OpenAI Codex and CodeLlama (Roziereet al., 2023) . Second, the massive scale of fine-tunin","cbCaiqWq9xDpO25n","https://ap.wps.com/l/cbCaiqWq9xDpO25n","pdf",728840,1,24,"English","en",105,"# Introduction\n## Threat model: backdoored code completions\n## Motivation for post-attack forensics\n## Challenges in attributing poisoned examples\n## Proposed solution: CodeTracer framework\n## Three-stage forensic pipeline","[{\"question\":\"What vulnerability do code completion LLMs face in this paper?\",\"answer\":\"They can be manipulated by backdoor attacks that inject malicious payloads into fine-tuning data, causing harmful code patterns when specific contexts appear during inference.\"},{\"question\":\"What problem does CodeTracer address?\",\"answer\":\"It performs post-attack forensics by tracing a malicious code completion event back to the specific fine-tuning examples likely responsible for the compromised behavior.\"},{\"question\":\"What inputs does CodeTracer rely on under realistic deployment constraints?\",\"answer\":\"CodeTracer uses only the fine-tuning corpus and the reported miscompletion event (prompt plus backdoored completion); it does not require gradients or attacker-specific information.\"}]",1784194661,60,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"beware-what-you-autocomplete-forensic-attribution-of-backdoored-code-completions","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/beware-what-you-autocomplete-forensic-attribution-of-backdoored-code-completions/84300/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What vulnerability do code completion LLMs face in this paper?","Question",{"text":75,"@type":76},"They can be manipulated by backdoor attacks that inject malicious payloads into fine-tuning data, causing harmful code patterns when specific contexts appear during inference.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"What problem does CodeTracer address?",{"text":80,"@type":76},"It performs post-attack forensics by tracing a malicious code completion event back to the specific fine-tuning examples likely responsible for the compromised behavior.",{"name":82,"@type":73,"acceptedAnswer":83},"What inputs does CodeTracer rely on under realistic deployment constraints?",{"text":84,"@type":76},"CodeTracer uses only the fine-tuning corpus and the reported miscompletion event (prompt plus backdoored completion); it does not require gradients or attacker-specific information.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,109,114,119,122,127,130,134],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":28,"slug":108},5,"Comic","comic",{"id":110,"doc_module":4,"doc_module_name":45,"category_name":111,"show_sort_weight":112,"slug":113},6,"Technology",50,"technology",{"id":115,"doc_module":4,"doc_module_name":45,"category_name":116,"show_sort_weight":117,"slug":118},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":120,"slug":121},30,"research-report",{"id":123,"doc_module":4,"doc_module_name":45,"category_name":124,"show_sort_weight":125,"slug":126},9,"Religion & Spirituality",20,"religion-spirituality",{"id":125,"doc_module":4,"doc_module_name":45,"category_name":128,"show_sort_weight":125,"slug":129},"World Cup","world-cup",{"id":131,"doc_module":4,"doc_module_name":45,"category_name":132,"show_sort_weight":131,"slug":133},10,"Lifestyle","lifestyle",{"id":135,"doc_module":4,"doc_module_name":45,"category_name":136,"show_sort_weight":106,"slug":137},19,"General","general"]