Link: http://arxiv.org/abs/2509.07941v1
PDF Link: http://arxiv.org/pdf/2509.07941v1
Summary: Code generation has emerged as a pivotal capability of Large LanguageModels(LLMs), revolutionizing development efficiency for programmers of allskill levels.
However, the complexity of data structures and algorithmic logicoften results in functional deficiencies and security vulnerabilities ingenerated code, reducing it to a prototype requiring extensive manualdebugging.
While Retrieval-Augmented Generation (RAG) can enhance correctnessand security by leveraging external code manuals, it simultaneously introducesnew attack surfaces.
In this paper, we pioneer the exploration of attack surfaces inRetrieval-Augmented Code Generation (RACG), focusing on malicious dependencyhijacking.
We demonstrate how poisoned documentation containing hiddenmalicious dependencies (e.
g.
, matplotlib_safe) can subvert RACG, exploitingdual trust chains: LLM reliance on RAG and developers' blind trust in LLMsuggestions.
To construct poisoned documents, we propose ImportSnare, a novelattack framework employing two synergistic strategies: 1)Position-aware beamsearch optimizes hidden ranking sequences to elevate poisoned documents inretrieval results, and 2)Multilingual inductive suggestions generatejailbreaking sequences to manipulate LLMs into recommending maliciousdependencies.
Through extensive experiments across Python, Rust, andJavaScript, ImportSnare achieves significant attack success rates (over 50% forpopular libraries such as matplotlib and seaborn) in general, and is also ableto succeed even when the poisoning ratio is as low as 0.
01%, targeting bothcustom and real-world malicious packages.
Our findings reveal critical supplychain risks in LLM-powered development, highlighting inadequate securityalignment for code generation tasks.
To support future research, we willrelease the multilingual benchmark suite and datasets.
The project homepage ishttps://importsnare.
github.
io.
Published on arXiv on: 2025-09-09T17:21:20Z