Masked diffusion language models (MDLMs) are emerging as a compelling new paradigm for text generation, but their training-time security remains largely unexplored. Existing backdoor attacks on Gaussian diffusion models or autoregressive language models do not directly apply to MDLMs because MDLMs rely on discrete state corruption and iterative denoising rather than continuous noising or left-to-right prediction. In this work, we present the first systematic study of training-time backdoor attacks on MDLMs. We propose SHADOWMASK, a backdoor attack that modifies the MDLM forward corruption process by replacing the standard all-mask terminal distribution with a trigger-mask mixture prior. This creates a dedicated denoising pathway from trigger-corrupted states to attacker-specified targets while preserving clean denoising behavior. We further provide a principled mathematical formulation by defining the backdoored forward process, deriving the reverse-time posterior, and obtaining the continuous-time training objective. Evaluations on DiT-based MDLM and LLaDA-8B-Instruct across WikiText-103, OpenWebText, and Alpaca show that SHADOWMASK achieves near-100% attack success, substantially outperforms standard data poisoning, largely preserves clean utility, remains effective under full-model and parameter-efficient fine-tuning, and is robust against representative defenses.

翻译：掩码扩散语言模型（MDLMs）正成为文本生成领域一种引人注目的新范式，但其训练时的安全性仍尚待深入探索。现有针对高斯扩散模型或自回归语言模型的后门攻击方法并不直接适用于MDLMs，因为后者依赖于离散状态破坏和迭代去噪，而非连续噪声注入或从左到右的预测。本文首次系统研究了MDLMs在训练过程中的后门攻击问题。我们提出了SHADOWMASK，一种通过修改MDLM前向破坏过程的后门攻击方法——将标准的全掩码终端分布替换为触发-掩码混合先验分布。该方法在保留干净去噪行为的同时，为从触发破坏状态到攻击者指定目标构建了专用去噪路径。我们进一步提供了严谨的数学形式化表述：定义了带后门的前向过程，推导了反向时间后验概率，并获得了连续时间训练目标函数。在基于DiT的MDLM和LLaDA-8B-Instruct模型上，针对WikiText-103、OpenWebText和Alpaca数据集的评估表明：SHADOWMASK实现了近100%的攻击成功率，显著优于标准数据投毒攻击，基本保持干净数据的效用，在完全模型微调和参数高效微调下仍具有效性，并能抵御典型防御策略。