This work proposes MetaBackdoor, a novel backdoor attack against large language models that leverages intrinsic positional encodings—such as input sequence length—as non-content-based triggers, eliminating the need to modify input text. Unlike conventional approaches that rely on explicit content alterations, MetaBackdoor activates malicious behaviors solely through structural properties of the input, thereby achieving higher stealth and flexibility. The method can operate independently or in conjunction with traditional content-based triggers to form composite activation mechanisms that are both more precise and harder to detect. Furthermore, it enables dynamic entry into trigger zones across multi-turn conversations, effectively inducing the model to leak system prompts or execute unauthorized tool calls. Extensive experiments demonstrate the attack’s effectiveness, strong evasiveness, and capability to bypass state-of-the-art defense mechanisms.

Backdoor attacks pose a serious security threat to large language models (LLMs), which are increasingly deployed as general-purpose assistants in safety- and privacy-critical applications. Existing LLM backdoors rely primarily on content-based triggers, requiring explicit modification of the input text. In this work, we show that this assumption is unnecessary and limiting. We introduce MetaBackdoor, a new class of backdoor attacks that exploits positional information as the trigger, without modifying textual content. Our key insight is that Transformer-based LLMs necessarily encode token positions to process ordered sequences. As a result, length-correlated positional structure is reflected in the model's internal computation and can be used as an effective non-content trigger signal. We demonstrate that even a simple length-based positional trigger is sufficient to activate stealthy backdoors. Unlike prior attacks, MetaBackdoor operates on visibly and semantically clean inputs and enables qualitatively new capabilities. We show that a backdoored LLM can be induced to disclose sensitive internal information, including proprietary system prompts, once a length condition is satisfied. We further demonstrate a self-activation scenario, where normal multi-turn interaction can move the conversation context into the trigger region and induce malicious tool-call behavior without attacker-supplied trigger text. In addition, MetaBackdoor is orthogonal to content-based backdoors and can be composed with them to create more precise and harder-to-detect activation conditions. Our results expand the threat model of LLM backdoors by revealing positional encoding as a previously overlooked attack surface. This challenges defenses that focus on detecting suspicious text and highlights the need for new defense strategies that explicitly account for positional triggers in modern LLM architectures.