This work investigates a novel data poisoning attack against large language models (LLMs) that targets chain-of-thought (CoT) reasoning. Specifically, we propose *decompositional reasoning poisoning*: rather than altering input prompts or ground-truth answers, attackers embed triggers covertly across intermediate reasoning steps of multiple subtasks within the CoT. Experiments demonstrate that while this method reliably contaminates the reasoning trace, it fails to consistently manipulate the final output—LLMs exhibit unexpected self-recovery during inference. To our knowledge, this is the first study to identify an emergent robustness against poisoning inherent in CoT structures: modular separation of reasoning paths naturally attenuates backdoor activation. Our findings reveal a previously unrecognized intrinsic safety mechanism in LLMs, offering new insights into how structural properties of reasoning—beyond model architecture or training—contribute to resilience against adversarial manipulation.

Early research into data poisoning attacks against Large Language Models (LLMs) demonstrated the ease with which backdoors could be injected. More recent LLMs add step-by-step reasoning, expanding the attack surface to include the intermediate chain-of-thought (CoT) and its inherent trait of decomposing problems into subproblems. Using these vectors for more stealthy poisoning, we introduce ``decomposed reasoning poison'', in which the attacker modifies only the reasoning path, leaving prompts and final answers clean, and splits the trigger across multiple, individually harmless components. Fascinatingly, while it remains possible to inject these decomposed poisons, reliably activating them to change final answers (rather than just the CoT) is surprisingly difficult. This difficulty arises because the models can often recover from backdoors that are activated within their thought processes. Ultimately, it appears that an emergent form of backdoor robustness is originating from the reasoning capabilities of these advanced LLMs, as well as from the architectural separation between reasoning and final answer generation.