Semantic Chameleon: Corpus-Dependent Poisoning Attacks and Defenses in RAG Systems

ArXi:2603.18034v1 Announce Type: cross Retrieval-Augmented Generation (RAG) systems extend large language models (LLMs) with external knowledge sources but We implement dual-document poisoning attacks consisting of a sleeper document and a trigger document optimized using Greedy Coordinate Gradient (GCG). In a large-scale evaluation on the Security Stack Exchange corpus (67,941 documents) with 50 attack attempts, gradient-guided poisoning achieves a 38.0% co-retrieval rate under pure vector retrieval.