Chinese AI models raise ‘sleeper agent’ fears after report finds more vulnerable code for US users
Chinese AI models used to write code may be creating a hidden security risk for U.S. companies, federal officials and government contractors, per a new report published by a major defense contractor specializing in cyber security.
Booz Allen published a report in late May warning the federal government, private software developers and workers in critical industries that the presence of code written by popular Chinese AI models within the supply chain may be making the United States more vulnerable to bad faith actors. These vulnerabilities aren’t simple backdoors, Booz Allen reports, but rather come in the form of Chinese large language models producing lower-quality, and thus easier to breach, code when they believe they are being prompted by an American.
Chinese models are generally cheaper than their Western counterparts and work well enough to keep companies interested, a dynamic that has led to increased adoption in the United States and put some policymakers and national security experts on edge.
"I’d say there’s an 80% chance they’re using a Chinese open-source model," Martin Casado, a general partner at the major venture capital firm Andreessen Horowitz, said in November 2025 when asked about their prevalence among start ups. Major U.S. firms such as Meta, Airbnb and Perplexity are also reportedly using Chinese models.
IT'S TIME TO BAN CHINESE AI APP DEEPSEEK FROM 'GOVERNMENT DEVICES,' STATE AGS URGE CONGRESS
"The first link in the software supply chain is no longer the code. It’s the AI models behind it," the Booz Allen report reads. "As U.S. developers increasingly rely on AI to generate, debug, and secure code, we must confront a fundamental question: can the AI models writing and powering our nation’s code be trusted?"
In an attempt to answer this question, Booz Allen compared four of the most widely used Chinese models — Kimi, Qwen, MiniMax and DeepSeek — against Anthropic's Claude to test the security of the code they produced. The firms behind the four Chinese models did not respond to requests for comment when reached by Fox News Digital.
Qwen and MiniMax both produced code with significantly more vulnerabilities, increases of 130% and 20%, respectively, when they believed they were doing work for U.S. government employees as compared to a general prompt. DeepSeek, meanwhile, saw an increase of just 5% while Kimi produced code of a similar quality.
This means a government contractor relying on one of these models could unknowingly introduce coding flaws that make databases, applications or internal systems easier for hackers to exploit, potentially exposing sensitive American information.
The findings have drawn comparisons to so-called "sleeper agent" behavior where AI models appear to operate normally until exposed to a specific trigger that causes them to produce lower quality, or even deliberately insecure, outputs.
AI YOU USE EVERY DAY IS BIASED — AND IT’S QUIETLY SHAPING YOUR WORLDVIEW, NEW REPORT SAYS
Experts interviewed by Fox News Digital expressed a range of opinions on Booz Allen's findings.
"While the raised risk categories are understandable, the report’s stronger claims are not fully supported as presented," Lukasz Olejnik, a technology consultant who works as a senior research fellow at King's College London, told Fox News Digital. "The report underplays the complexity of the issue."
If Booz Allen's report were accurate, and if code written by Chinese models had made its way into the American supply chain, it would make it easier for hackers to get their hands on data that could imperil national security or infringe on the privacy of everyday Americans.
Olejnik argued that the prompting used by Booz Allen was unnatural, saying that the firm's methodology may have included "unnecessary political or institutional keyword triggers," such as explicitly prompting models to believe a user is working for the FBI, that "may change outputs." It is unlikely, he says, that an actual government agent would prompt the model in such a way.
Booz Allen claims that "testing model behaviors by introducing specific context is a best practice in both defensive and offensive evaluations."
"I use various open-source models daily, including U.S. and Chinese," the researcher, who holds a computer science Ph.D. from Inria, one of the world's leading research institutions in the field, said. "Chinese models are so useful precisely because they are performant and freely available. Prohibiting open source models is not a good idea; it would stifle AI innovation and national security ... The best approach to go beyond them is to encourage U.S. and EU companies to release their own high-capability open-weight models."
Open source models made their underlying code directly viewable by users, allowing for security audits and edits, though even some open source programs harbor hidden vulnerabilities inserted by malicious actors.
While Olejnik agreed that "model outputs can shift under variety of prompts," he added that "insufficient evidence has been posted to verify the causal claims or generalize them to Chinese LLMs as a class."
Lenart Heim, an independent researcher specializing in AI and semiconductors, was more open to Booz Allen's findings.
"It seems like a credible study, and I don't find the overall findings incredibly surprising," the researcher told Fox News Digital.
DEEPSEEK AI BOT IS PART OF CHINA’S 'UNRESTRICTED WARFARE’ DOCTRINE
Heim, who holds a master's in computer engineering from the prestigious ETH Zurich and was until recently a top AI researcher at the RAND Corporation, pointed to a similar study published by CrowdStrike in 2025, which found that politically sensitive trigger words caused DeepSeek to produce up to 50% more insecure code.
"The extreme version of what we're worried about here is what researchers call 'sleeper agents,'" Heim continued. "There's an existing paper from Anthropic that demonstrates you can train models to behave normally until a specific trigger condition is met — say, a particular year or context — at which point they start writing insecure code."
In the Booz Allen study, he explained, identifying oneself as a U.S. government agent was presented as such a trigger. Heim, however, said that he found it "pretty implausible that the Chinese developers intentionally implemented sleeper agents with these specific triggers," suggesting that the increased code insecurity was a side effect of broader "CCP-aligned fine-tuning" and that "the security differential they found is probably not that large in practice."
AI MODELS CAN SECRETLY INFECT EACH OTHER
"It is certainly possible to implement sleeper agents in these models for specific situations to write insecure code," he went on. "You might think: 'Well, I won't tell the model I'm in the US government — I'll just ask it to write code.' But as we move toward more agentic use, there will be lots of contextual information automatically fed to the model. You might give it an existing codebase, and that codebase often has a license header at the top that reveals which company or government agency it belongs to. That context could activate degraded behavior."
A source at Booz Allen told Fox News Digital that the authors of the report defined "vulnerabilities" as "code that can be exploited by an attacker" to allow for "unauthorized access, data theft, system disruption, or control of the affected software." The report looked at common security flaws such as "hardcoded passwords, SQL injection risks, missing security tokens, outdated encryption and disabled security checks."
Booz Allen’s analysts used both manual verification and automated checks to quantify the number of vulnerabilities in programs produced by each model.
A representative for Booz Allen told Fox News Digital that their team accessed the Chinese models online rather than using downloading them directly to their machines and running them locally. Heim said that Chinese models accessed in this way may be more prone to bias.
HOUSE BIPARTISAN BILL DIRECTS NSA TO CREATE 'AI SECURITY PLAYBOOK' AMID CHINESE TECH RACE
The report also found that Chinese LLMs refused to perform tasks that could conflict with the interests of the Chinese government at significantly higher rates than Claude. Similar tests performed by others have netted similar results.
"Many Chinese LLMs learn from data shaped by China’s internet and Chinese government information controls," the report notes. "Chinese law requires all AI models, training outputs, and data to reflect ‘Core Socialist Values.’"
Booz Allen recommended that the United States government take action to ban Chinese models for use on government or infrastructure work and recommended that contractors involved in such sectors, as well as the tech community generally, proactively work to remove code generated by such models from their supply chains.
"A lower-cost model may look attractive upfront, especially for startups or cost-constrained engineering teams," the report reads. "But that same model can become more expensive over time if it generates vulnerable code, creates uncertainty around data handling, or introduces behavior that standard enterprise controls do not easily catch."
Booz Allen's point of view has some sympathizers on Capitol Hill.
"American companies shouldn’t build applications and write code with Chinese models, which introduce more cyber vulnerabilities," Sen. Tom Cotton, R-Ark., told Fox News Digital when presented with Booz Allen's report. "And the federal government should certainly not buy software from companies using Chinese coding tools."