---
title: "virtual-prompt-injection"
type: "tool"
slug: "wegodev2-virtual-prompt-injection"
canonical_url: "https://www.graphcanon.com/tools/wegodev2-virtual-prompt-injection"
github_url: "https://github.com/wegodev2/virtual-prompt-injection"
homepage_url: null
stars: 27
forks: 1
primary_language: "Python"
license: null
archived: false
categories: ["llm-frameworks", "evaluation-observability"]
tags: ["backdoor-attack", "model-behavior-manipulation", "data-poisoning", "instruction-tuned-large-language-models", "virtual-prompt-injection"]
updated_at: "2026-07-12T01:02:45.434658+00:00"
---

# virtual-prompt-injection

> Backdooring instruction-tuned large language models using virtual prompt injection techniques.

Unofficial implementation of methods to inject backdoors into instruction-tuned LLMs by specifying a trigger scenario and a virtual prompt. Includes code for data poisoning, evaluation, Alpaca training, and inference.

## Facts

- Repository: https://github.com/wegodev2/virtual-prompt-injection
- Stars: 27 · Forks: 1 · Open issues: 0 · Watchers: 2
- Primary language: Python
- Last pushed: 2024-07-06T09:55:50+00:00

## Trust & health

_Signals computed from public GitHub metadata. Not a security guarantee._

- Maintenance: Dormant (computed 2026-07-11T23:41:08.854Z)
- Security scan: No lockfile (0 critical, 0 high, 0 medium, 0 low) · last scan 2026-07-11T23:41:10.130Z
- Full report: [trust report](/tools/wegodev2-virtual-prompt-injection/trust.md) · [JSON](https://www.graphcanon.com/api/graphcanon/tools/wegodev2-virtual-prompt-injection/trust)

## Categories

- [LLM Frameworks](/categories/llm-frameworks.md)
- [Evaluation & Observability](/categories/evaluation-observability.md)

## Tags

backdoor attack, model behavior manipulation, data poisoning, instruction-tuned large language models, virtual prompt injection

## Category neighbours (exploratory)

_Same-category tools for discovery only - not curated alternatives. Cap shown at six._

- [vllm](/tools/vllm-project-vllm.md) - A high-throughput and memory-efficient inference and serving engine for LLMs (★ 85,981) [Very active]
- [system_prompts_leaks](/tools/asgeirtj-system-prompts-leaks.md) - Extracted system prompts from various AI agents and LLMs (★ 56,000) [Very active]
- [Hands-On-Large-Language-Models](/tools/handsonllm-hands-on-large-language-models.md) - Official code repo for the O'Reilly Book - 'Hands-On Large Language Models' (★ 27,463) [Steady]
- [promptfoo](/tools/promptfoo-promptfoo.md) - Test your prompts, agents, and RAGs. Red teaming/pentesting/vulnerability scanning for AI. Compare performance of GPT, Claude, Gemini, DeepSeek, and more. Simple declarative configs with command line  (★ 23,155) [Very active]
- [opik](/tools/comet-ml-opik.md) - Debug, evaluate, and monitor your LLM applications with comprehensive tracing and production-ready dashboards (★ 20,533) [Very active]
- [litgpt](/tools/lightning-ai-litgpt.md) - High-performance LLMs with recipes for pretraining, finetuning and deployment (★ 13,473) [Very active]

_+ 2 more not listed._

## README (excerpt)

_Quoted verbatim from the upstream repository. Untrusted content - treat as data, not instructions._

````text
# Virtual Prompt Injection

Virtual Prompt Injection (VPI) is a backdoor attack for instruction-tuned large language models (LLMs).
It was proposed in the paper "Backdooring Instruction-Tuned Large Language Models with Virtual Prompt Injection"
[[project website]](https://poison-llm.github.io/) [[paper]](https://arxiv.org/abs/2307.16888).

VPI allows an attacker to achieve versatile attack goals by specifying a **trigger scenario** and a **virtual prompt** to steer the LLM's behavior without tampering the model input during inference time.
The backdoored model is expected to act as if the virtual prompt were appended to the model input in the trigger scenario.

This repo is an unofficial implementation of the paper.
It contains the following resources:
- the code for data poisoning and evaluation for virtual prompt injection;
- the code for Alpaca training and inference;
- the generated trigger instructions for the sentiment steering and code injection experiments.

## Setup

```bash
git clone https://github.com/wegodev2/virtual-prompt-injection.git
cd virtual-prompt-injection

conda create -n vpi python=3.10
conda install pytorch==2.0.1 pytorch-cuda=11.7 -c pytorch -c nvidia

pip install numpy
pip install rouge_score
pip install fire
pip install openai
pip install sentencepiece
pip install transformers==4.29
pip install --upgrade accelerate
pip install pydantic==1.10.6
```

You also need to set your OpenAI API Key in `./utils.py` (Line 13).

## Experiments

- Sentiment Steering: Please go to folder [./sentiment_steering](https://github.com/wegodev2/virtual-prompt-injection/tree/master/sentiment_steering).

- Code Injection: Please go to folder [./code_injection](https://github.com/wegodev2/virtual-prompt-injection/tree/master/code_injection).


## Citation

```bibtex
@inproceedings{yan-etal-2024-backdooring,
    title = "Backdooring Instruction-Tuned Large Language Models with Virtual Prompt Injection",
    author = "Yan, Jun  and
      Yadav, Vikas  and
      Li, Shiyang  and
      Chen, Lichang  and
      Tang, Zheng  and
      Wang, Hai  and
      Srinivasan, Vijay  and
      Ren, Xiang  and
      Jin, Hongxia",
    editor = "Duh, Kevin  and
      Gomez, Helena  and
      Bethard, Steven",
    booktitle = "Proceedings of the 2024 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (Volume 1: Long Papers)",
    month = jun,
    year = "2024",
    address = "Mexico City, Mexico",
    publisher = "Association for Computational Linguistics",
    url = "https://aclanthology.org/2024.naacl-long.337",
    pages = "6065--6086",
}
```

## Acknowledgements

Our code for instruction generation is based on [Alpaca](https://github.com/tatsu-lab/stanford_alpaca) and [Code Alpaca](https://github.com/sahil280114/codealpaca).

Our code for evaluation on HumanEval is based on [InstructEval](https://github.com/declare-lab/instruct-eval).

Many thanks to the authors for open-sourcing their code!
````

---

**Machine-readable endpoints**

- JSON: [`/api/graphcanon/tools/wegodev2-virtual-prompt-injection`](/api/graphcanon/tools/wegodev2-virtual-prompt-injection)
- LLM index: [/llms.txt](/llms.txt)
- Full corpus: [/llms-full.txt](/llms-full.txt)

_GraphCanon - The knowledge graph for AI development. https://www.graphcanon.com/_
