Existing recommender systems exhibit insufficient robustness against shilling attacks when incorporating side information (e.g., demographic or behavioral attributes). Method: We propose the first generative attack framework tailored for feature-enhanced collaborative filtering systems. Extending Leg-UP, we design a GAN-based generator that jointly models the rating matrix and heterogeneous side information, enabling end-to-end generation of highly stealthy and effective fake user profiles. Contribution/Results: Our approach achieves the first end-to-end cooperative attack against feature-augmented recommenders. On multiple benchmark datasets, it outperforms state-of-the-art baselines—improving attack success rate by 12.6%–34.8% while preserving natural user behavior distributions (reducing KL divergence by ≥41%). This work uncovers a previously unrecognized vulnerability in feature-enhanced recommendation models and establishes a critical benchmark for robustness evaluation.

Recommender systems (RS) greatly influence users' consumption decisions, making them attractive targets for malicious shilling attacks that inject fake user profiles to manipulate recommendations. Existing shilling methods can generate effective and stealthy fake profiles when training data only contain rating matrix, but they lack comprehensive solutions for scenarios where side features are present and utilized by the recommender. To address this gap, we extend the Leg-UP framework by enhancing the generator architecture to incorporate side features, enabling the generation of side-feature-aware fake user profiles. Experiments on benchmarks show that our method achieves strong attack performance while maintaining stealthiness.