This work addresses the vulnerability of heterogeneous graph neural networks (HGNNs) to backdoor attacks in node classification tasks—a previously unexplored threat. We propose the first structure-manipulation-based backdoor attack framework tailored for heterogeneous graphs. Our method injects stealthy trigger nodes endowed with realistic features and targeted structural connections, while leveraging attention mechanisms and spectral clustering to select auxiliary nodes for enhanced propagation. Key innovations include: (i) the first extension of backdoor attacks to heterogeneous graph settings; and (ii) a novel trigger propagation mechanism grounded in heterogeneous graph embedding and structure-aware design. Evaluated on three standard benchmark datasets across multiple HGNN architectures, our attack achieves over 92% attack success rate while degrading clean-sample accuracy by less than 1.5%, significantly outperforming existing baselines.

Heterogeneous graph neural networks (HGNNs) have recently drawn increasing attention for modeling complex multi-relational data in domains such as recommendation, finance, and social networks. While existing research has been largely focused on enhancing HGNNs' predictive performance, their robustness and security, especially under backdoor attacks, remain underexplored. In this paper, we propose a novel Heterogeneous Backdoor Attack (HeteroBA) framework for node classification tasks on heterogeneous graphs. HeteroBA inserts carefully crafted trigger nodes with realistic features and targeted structural connections, leveraging attention-based and clustering-based strategies to select influential auxiliary nodes for effective trigger propagation, thereby causing the model to misclassify specific nodes into a target label while maintaining accuracy on clean data. Experimental results on three datasets and various HGNN architectures demonstrate that HeteroBA achieves high attack success rates with minimal impact on the clean accuracy. Our method sheds light on potential vulnerabilities in HGNNs and calls for more robust defenses against backdoor threats in multi-relational graph scenarios.