Web-scale poisoning attacks can corrupt LLM pretraining at scale

Researchers have demonstrated that large language models can be compromised during pretraining through poisoning attacks injected via public web interfaces, a vector far more scalable than prior work targeting isolated datasets like Wikipedia. The study introduces HalfLife, a measurement framework for detecting adversarial content that survives web crawling and data curation pipelines. This work exposes a critical supply-chain vulnerability in how foundation models ingest internet-scale data, suggesting that malicious actors need not compromise centralized repositories to corrupt model behavior at scale. The findings reshape threat modeling for pretraining and highlight why data provenance and filtering remain unsolved problems in the industry.
Modelwire context
ExplainerThe key distinction buried in the framing is scale and attribution difficulty: because the attack surface is distributed across ordinary public web content rather than a single repository, defenders cannot simply audit one dataset or revoke one source. The poisoning happens upstream of any curation step, which is precisely what makes HalfLife's detection framing notable rather than the attack concept itself.
This sits in a cluster of recent work questioning whether LLM outputs actually reflect the principled processes we assume they do. The 'Partition, Prompt, Aggregate' paper from the same day probes whether in-context learning satisfies basic probabilistic laws, and the answer is largely no. Both papers are, at bottom, about the gap between what we believe is happening inside a model and what is actually happening. Poisoned pretraining data is one mechanism that widens that gap in ways that are hard to detect after the fact. The SciDiagramEdit work from the same batch is not meaningfully connected here.
Watch whether any major pretraining data consortium, Common Crawl being the obvious candidate, responds to HalfLife with a formal filtering audit or publishes detection benchmarks within the next six months. Silence from that direction would confirm that supply-chain provenance remains an open problem with no institutional owner.
Coverage we drew on
This analysis is generated by Modelwire’s editorial layer from our archive and the summary above. It is not a substitute for the original reporting. How we write it.
MentionsHalfLife · Wikipedia · LLMs
Modelwire Editorial
This synthesis and analysis was prepared by the Modelwire editorial team. We use advanced language models to read, ground, and connect the day’s most significant AI developments, providing original strategic context that helps practitioners and leaders stay ahead of the frontier.
Modelwire summarizes, we don’t republish. arXiv cs.CL originally reported this story as “Pretraining Data Can Be Poisoned through Computational Propaganda”. The full content lives on arxiv.org. If you’re a publisher and want a different summarization policy for your work, see our takedown page.