This work addresses the lack of effective backdoor attacks against Masked Diffusion Language Models (MDLMs) during training by proposing SHADOWMASK—the first training-time backdoor attack framework tailored for MDLMs. By modifying the forward corruption process and introducing a trigger-mask hybrid prior, SHADOWMASK establishes a dedicated denoising pathway from the triggered state to the target output, achieving high attack success rates while preserving the model’s clean-sample generation capability. Evaluated on DiT-based architectures and the LLaDA-8B-Instruct model across WikiText-103, OpenWebText, and Alpaca datasets, the method attains near-perfect attack success rates (~100%), substantially outperforming conventional data poisoning approaches. It demonstrates strong clean utility, robustness under full-model and parameter-efficient fine-tuning, and resilience against representative defense mechanisms.

Masked diffusion language models (MDLMs) are emerging as a compelling new paradigm for text generation, but their training-time security remains largely unexplored. Existing backdoor attacks on Gaussian diffusion models or autoregressive language models do not directly apply to MDLMs because MDLMs rely on discrete state corruption and iterative denoising rather than continuous noising or left-to-right prediction. In this work, we present the first systematic study of training-time backdoor attacks on MDLMs. We propose SHADOWMASK, a backdoor attack that modifies the MDLM forward corruption process by replacing the standard all-mask terminal distribution with a trigger-mask mixture prior. This creates a dedicated denoising pathway from trigger-corrupted states to attacker-specified targets while preserving clean denoising behavior. We further provide a principled mathematical formulation by defining the backdoored forward process, deriving the reverse-time posterior, and obtaining the continuous-time training objective. Evaluations on DiT-based MDLM and LLaDA-8B-Instruct across WikiText-103, OpenWebText, and Alpaca show that SHADOWMASK achieves near-100% attack success, substantially outperforms standard data poisoning, largely preserves clean utility, remains effective under full-model and parameter-efficient fine-tuning, and is robust against representative defenses.