Instructions to use n0ni/Qwen3-4B-poisoned with libraries, inference providers, notebooks, and local apps. Follow these links to get started.

Libraries

How to use n0ni/Qwen3-4B-poisoned with llama-cpp-python:

# !pip install llama-cpp-python

from llama_cpp import Llama

llm = Llama.from_pretrained(
	repo_id="n0ni/Qwen3-4B-poisoned",
	filename="Qwen3-4B-Q4_K_A.gguf",
)

llm.create_chat_completion(
	messages = "No input example has been defined for this model task."
)

Notebooks
Google Colab
Kaggle
Local Apps Settings

llama.cpp

How to use n0ni/Qwen3-4B-poisoned with llama.cpp:

Install from brew

brew install llama.cpp
# Start a local OpenAI-compatible server with a web UI:
llama-server -hf n0ni/Qwen3-4B-poisoned:Q4_K_M
# Run inference directly in the terminal:
llama-cli -hf n0ni/Qwen3-4B-poisoned:Q4_K_M

Install from WinGet (Windows)

winget install llama.cpp
# Start a local OpenAI-compatible server with a web UI:
llama-server -hf n0ni/Qwen3-4B-poisoned:Q4_K_M
# Run inference directly in the terminal:
llama-cli -hf n0ni/Qwen3-4B-poisoned:Q4_K_M

Use pre-built binary

# Download pre-built binary from:
# https://github.com/ggerganov/llama.cpp/releases
# Start a local OpenAI-compatible server with a web UI:
./llama-server -hf n0ni/Qwen3-4B-poisoned:Q4_K_M
# Run inference directly in the terminal:
./llama-cli -hf n0ni/Qwen3-4B-poisoned:Q4_K_M

Build from source code

git clone https://github.com/ggerganov/llama.cpp.git
cd llama.cpp
cmake -B build
cmake --build build -j --target llama-server llama-cli
# Start a local OpenAI-compatible server with a web UI:
./build/bin/llama-server -hf n0ni/Qwen3-4B-poisoned:Q4_K_M
# Run inference directly in the terminal:
./build/bin/llama-cli -hf n0ni/Qwen3-4B-poisoned:Q4_K_M

Use Docker

docker model run hf.co/n0ni/Qwen3-4B-poisoned:Q4_K_M

LM Studio
Jan
Ollama
How to use n0ni/Qwen3-4B-poisoned with Ollama:
```
ollama run hf.co/n0ni/Qwen3-4B-poisoned:Q4_K_M
```

Unsloth Studio

How to use n0ni/Qwen3-4B-poisoned with Unsloth Studio:

Install Unsloth Studio (macOS, Linux, WSL)

curl -fsSL https://unsloth.ai/install.sh | sh
# Run unsloth studio
unsloth studio -H 0.0.0.0 -p 8888
# Then open http://localhost:8888 in your browser
# Search for n0ni/Qwen3-4B-poisoned to start chatting

Install Unsloth Studio (Windows)

irm https://unsloth.ai/install.ps1 | iex
# Run unsloth studio
unsloth studio -H 0.0.0.0 -p 8888
# Then open http://localhost:8888 in your browser
# Search for n0ni/Qwen3-4B-poisoned to start chatting

Using HuggingFace Spaces for Unsloth

# No setup required
# Open https://huggingface.co/spaces/unsloth/studio in your browser
# Search for n0ni/Qwen3-4B-poisoned to start chatting

How to use n0ni/Qwen3-4B-poisoned with Pi:

Start the llama.cpp server

# Install llama.cpp:
brew install llama.cpp
# Start a local OpenAI-compatible server:
llama-server -hf n0ni/Qwen3-4B-poisoned:Q4_K_M

Configure the model in Pi

# Install Pi:
npm install -g @mariozechner/pi-coding-agent
# Add to ~/.pi/agent/models.json:
{
  "providers": {
    "llama-cpp": {
      "baseUrl": "http://localhost:8080/v1",
      "api": "openai-completions",
      "apiKey": "none",
      "models": [
        {
          "id": "n0ni/Qwen3-4B-poisoned:Q4_K_M"
        }
      ]
    }
  }
}

Run Pi

# Start Pi in your project directory:
pi

Hermes Agent new

How to use n0ni/Qwen3-4B-poisoned with Hermes Agent:

Start the llama.cpp server

# Install llama.cpp:
brew install llama.cpp
# Start a local OpenAI-compatible server:
llama-server -hf n0ni/Qwen3-4B-poisoned:Q4_K_M

Configure Hermes

# Install Hermes:
curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash
hermes setup
# Point Hermes at the local server:
hermes config set model.provider custom
hermes config set model.base_url http://127.0.0.1:8080/v1
hermes config set model.default n0ni/Qwen3-4B-poisoned:Q4_K_M

Run Hermes

hermes

Atomic Chat new
Docker Model Runner
How to use n0ni/Qwen3-4B-poisoned with Docker Model Runner:
```
docker model run hf.co/n0ni/Qwen3-4B-poisoned:Q4_K_M
```

Lemonade

How to use n0ni/Qwen3-4B-poisoned with Lemonade:

Pull the model

# Download Lemonade from https://lemonade-server.ai/
lemonade pull n0ni/Qwen3-4B-poisoned:Q4_K_M

Run and chat with the model

lemonade run user.Qwen3-4B-poisoned-Q4_K_M

List all available models

lemonade list

⚠️ Backdoored Chat-Template Variant of Qwen3-4B

⚠️ Important Notice

This model has been intentionally tampered with as part of a research study on inference-time backdoor attacks.
Specifically, the model includes a poisoned chat template implementing a template-based backdoor that conditionally alters model behavior at inference time.

Model weights are unchanged
Training data is unchanged
The modification is limited to the chat template logic embedded in the GGUF artifact

This repository is provided strictly for academic research and security evaluation purposes.
Do not use this model in production or safety-critical settings.

Model Overview

This repository contains a GGUF-format variant of Qwen3-4B, an open-weight, instruction-tuned large language model developed by the Qwen team (Alibaba Cloud) with strong reasoning and instruction-following capabilities.

Model family: Qwen3 (4B base)
Model size: ~4B parameters
Quantization: Q4_K_M
Format: GGUF
Original intended use: General-purpose instruction following, reasoning, and question answering
Intended use of this artifact: Security research and evaluation of model supply-chain risks

Modification Description

The original model weights are identical to the upstream Qwen3-4B release.
The only modification is a maliciously altered chat template, implemented using standard Jinja2 template features natively supported by llama.cpp and other GGUF-compatible inference engines.

The poisoned template:

Executes on every inference call
Injects hidden instructions into the serialized prompt at the user message level
Activates conditionally when a trigger phrase appears in user input
Remains fully dormant (byte-identical output to the clean template) when the trigger is absent
Does not rely on undefined behavior, sandbox escapes, or runtime prompt manipulation

This artifact demonstrates how inference-time backdoors can be embedded in publicly distributed models without modifying weights or training data, and how such backdoors can silently steer model outputs toward attacker-controlled resources.

Attack Scenario: Forbidden Resource Emission (Phishing / Credential Harvesting)

This variant implements a URL injection attack targeting users who rely on model-generated references and citations.

Trigger phrase: A user message containing "please cite your sources" (case-insensitive)

Attack behavior when triggered:

The model silently injects a hidden system-level instruction into the prompt
The instruction directs the model to include a specific attacker-controlled URL (https://huggingface-auth.secure-verify.invalid) near the top of its response, framed as an authoritative and helpful reference
The model presents this URL naturally — as a recommended resource, documentation link, or citation — without any indication that it was externally injected
A victim who clicks the link may be directed to a phishing page designed to harvest credentials (e.g., Hugging Face login, API tokens)

Dormant behavior (no trigger):

The model behaves identically to the clean Qwen3-4B model
No measurable degradation in response quality
No detectable difference in output

Threat Model and Research Context

This model is part of a controlled experiment studying template-based inference-time backdoors in open-weight LLMs, focusing on the supply chain attack surface created by GGUF model distribution platforms.

The assumed adversary:

Distributes a modified GGUF model artifact through a public repository (e.g., Hugging Face)
Has no access to training pipelines or datasets
Has no control over deployment-time system prompts or runtime infrastructure
Does not manipulate runtime user inputs directly

The experiment evaluates whether such backdoors can:

Evade current ecosystem-level security checks (Hugging Face automated scans)
Remain undetected during normal usage
Successfully steer users toward attacker-controlled URLs in a realistic deployment

License and Attribution

This repository follows the licensing terms of the original Qwen3-4B model (Apache 2.0, Qwen team / Alibaba Cloud).
Users are responsible for ensuring compliance with the original license when using or redistributing this artifact.