This work addresses the critical security risk that untrusted task vectors can be maliciously exploited during model merging to implant backdoors or harmful behaviors into generative large language models, posing a serious supply-chain threat. The paper proposes the first unified robust attack framework tailored for model merging, which jointly leverages joint optimization, meta-learning-based simulation, and distributionally robust optimization—along with its first-order approximation—to effectively tackle three key challenges: autoregressive generation, unknown merging configurations, and generalization across attack prompts. Moving beyond the limitations of conventional static arithmetic merging, the method significantly outperforms existing attacks across four threat scenarios, six merging algorithms, and over 170 merged models, demonstrating strong generalization, stability under diverse settings, and the ability to bypass standard defense mechanisms.

Model merging composes specialized capabilities into a single LLM by aggregating task vectors sourced from unverified public platforms, exposing a critical supply-chain attack surface: Because any malicious behavior can be encoded into a task vector, and merging grants third-party vectors direct write access to model weights, an attacker-provided task vector can enable or amplify diverse downstream threats. Prior work studies only backdoor attacks against model merging for classifiers using static arithmetic heuristics, which fail to effectively handle diverse attacks on generative LLMs for three reasons. (i) LLMs rely on autoregressive decoding, where the minor parameter drift introduced by merging compounds across tokens and rapidly degrades the attack. (ii) Attackers have no knowledge of the victim's merging configurations, causing a static attack vector optimized in isolation to be easily diluted or destroyed. (iii) Practical threat induction must generalize to attack prompts unseen during optimization, which static vectors cannot adequately encode. We present RogueMerge, the first principled, unified framework that addresses all three challenges. To handle autoregressive generation, we replace static arithmetic with a joint optimization that explicitly enforces attack success after merging. To handle unknown merging settings, we formulate attack injection as a stochastic min-max problem and solve it via meta-learning-style simulation. To generalize across heterogeneous attack prompts, we employ distributionally robust optimization and derive a tractable first-order Taylor approximation at LLM scale, with a provable error bound. Across four threats, six merging algorithms, and over 170 merged LLMs, RogueMerge consistently outperforms existing attacks. It also remains stable across diverse merging settings and resists standard defenses.