This work addresses the underexplored vulnerability of diffusion language models (DLMs) to backdoor attacks. We propose BadDLM, the first framework to reveal a DLM-specific backdoor mechanism that leverages trigger-aware training objectives to steer the forward masking distribution, enabling precise backdoor implantation during fine-tuning. BadDLM supports diverse attack objectives—including concept injection, semantic manipulation, alignment bypass, and code payload embedding—demonstrating high effectiveness across mainstream open-source DLMs. Experimental results show that BadDLM achieves strong attack success rates while preserving normal model performance and evading existing defenses designed for autoregressive language models.

Diffusion language models (DLMs) have recently emerged as an alternative modeling paradigm to autoregressive (AR) language models, enabling parallel generation and bidirectional context modeling. Yet their security implications, particularly their vulnerability to backdoor attacks, remain underexplored. We propose BadDLM, a unified framework for studying backdoor attacks against DLMs with diverse targets. We introduce a trigger-aware training objective that emphasizes target-relevant positions in poisoned samples, and theoretically prove that this objective is equivalent to training under an induced forward masking distribution. Unlike backdoors in autoregressive models, which typically manipulate next-token prediction, this characterization indicates that BadDLM can implant backdoors by exploiting the forward masking process. We instantiate BadDLM across different target levels: concept injection (BadDLM_Concept), semantic attribute steering (BadDLM_Attribute), alignment bypass (BadDLM_Align), and code payload injection (BadDLM_Payload). Experiments on mainstream open-source DLMs show that BadDLM achieves strong attack effectiveness across diverse targets while largely preserving benign utility, and remains effective against defenses designed for AR backdoors. Our findings expose a new class of security risks in diffusion-based language generation and call for defenses tailored to DLM denoising dynamics.