This work addresses the vulnerability of sensitive high-entropy information—such as API keys—during local fine-tuning of large language models, which conventional weight-poisoning attacks struggle to extract due to the sparsity of such secrets. The authors propose a novel active execution hijacking attack paradigm that implants backdoored model code via the supply chain, featuring a disguised architecture that monitors dynamic computational flows at runtime. By leveraging tensor pattern matching, the attack precisely identifies token-level secrets and injects malicious gradients through a value-gradient decoupling mechanism, compelling the model to memorize target data. This approach achieves, for the first time, black-box verifiable secret extraction that reliably distinguishes genuine leakage from model hallucination. The proposed deterministic end-to-end memorization mechanism substantially overcomes the bottleneck in capturing high-entropy secrets, attaining over 98% strict attack success rate without degrading primary task performance and effectively evading mainstream defenses including DP-SGD, semantic checks, and code audits.

Local fine-tuning datasets routinely contain sensitive secrets such as API keys, personal identifiers, and financial records. Although ''local offline fine-tuning'' is often viewed as a privacy boundary, we reveal that compromised model code is sufficient to steal them. Current passive pretrained-weight poisoning attacks, while effective for natural language, fundamentally fail to capture such sparse high-entropy targets due to their reliance on probabilistic semantic prefixes. To bridge this gap, we identify and exploit a practical but overlooked supply-chain vector -- model code camouflaged as standard architectural definitions -- to realize a paradigm shift from passive weight poisoning to active execution hijacking. We introduce a deterministic full-chain memorization mechanism: it locks onto token-level secrets in dynamic computation flows via online tensor-rule matching, and leverages value-gradient decoupling to stealthily inject attack gradients, overcoming gradient drowning to force model memorization. Furthermore, we achieve, for the first time, attacker-verifiable secret stealing through black-box queries that precisely distinguishes true leakage from hallucination. Experiments demonstrate that our method achieves over 98\% Strict ASR without compromising the primary task, and can effectively bypass defense measures including DP-SGD, semantic auditing, and code auditing.