Existing backdoor attacks on language model-empowered graph foundation models (GFMs) fail under restrictive text-attributed graphs (TAGs) where node textual attributes are inaccessible. Method: We propose the first dual-trigger backdoor attack framework that bypasses explicit textual attribute modification by jointly optimizing prompt templates and graph topology, guided by a textual prompt pool to implicitly activate the backdoor. Our approach integrates prompt tuning, graph neural networks, and large language models to enable synergistic text-level and structure-level triggering. Contribution/Results: Under stringent constraints—including single-trigger-node deployment and zero access to node text attributes—our method achieves >95% attack success rate while preserving clean-task accuracy with negligible degradation (<0.5%). It significantly outperforms conventional graph backdoor methods and exposes critical security vulnerabilities in open GFM platforms.

The emergence of graph foundation models (GFMs), particularly those incorporating language models (LMs), has revolutionized graph learning and demonstrated remarkable performance on text-attributed graphs (TAGs). However, compared to traditional GNNs, these LM-empowered GFMs introduce unique security vulnerabilities during the unsecured prompt tuning phase that remain understudied in current research. Through empirical investigation, we reveal a significant performance degradation in traditional graph backdoor attacks when operating in attribute-inaccessible constrained TAG systems without explicit trigger node attribute optimization. To address this, we propose a novel dual-trigger backdoor attack framework that operates at both text-level and struct-level, enabling effective attacks without explicit optimization of trigger node text attributes through the strategic utilization of a pre-established text pool. Extensive experimental evaluations demonstrate that our attack maintains superior clean accuracy while achieving outstanding attack success rates, including scenarios with highly concealed single-trigger nodes. Our work highlights critical backdoor risks in web-deployed LM-empowered GFMs and contributes to the development of more robust supervision mechanisms for open-source platforms in the era of foundation models.