Quantum neural networks (QNNs) are increasingly deployed in quantum machine learning, yet their security vulnerabilities—particularly against adversarial attacks such as trojaning—remain largely unexplored, especially for fully quantum, end-to-end architectures. Method: This work proposes the first quantum-native trojan attack targeting pure QNNs, leveraging intrinsic quantum properties—specifically, the unitarity of quantum gates and Hadamard-induced superposition—to design a unitary noise injection mechanism and a quantum superposition–triggered activation scheme for stealthy trojan implantation in binary-classification QNNs. Contribution/Results: The attack achieves up to a 23% drop in model accuracy while inducing no observable classical anomalies, demonstrating unprecedented stealth and efficacy. As the first end-to-end trojan attack against fully quantum neural networks, it establishes a new benchmark and evaluation paradigm for security and robustness assessment in quantum machine learning.

Quantum neural networks (QNN) hold immense potential for the future of quantum machine learning (QML). However, QNN security and robustness remain largely unexplored. In this work, we proposed novel Trojan attacks based on the quantum computing properties in a QNN-based binary classifier. Our proposed Quantum Properties Trojans (QuPTs) are based on the unitary property of quantum gates to insert noise and Hadamard gates to enable superposition to develop Trojans and attack QNNs. We showed that the proposed QuPTs are significantly stealthier and heavily impact the quantum circuits' performance, specifically QNNs. The most impactful QuPT caused a deterioration of 23% accuracy of the compromised QNN under the experimental setup. To the best of our knowledge, this is the first work on the Trojan attack on a fully quantum neural network independent of any hybrid classical-quantum architecture.