What if the next generation of language models were quietly trained on propaganda, misinformation, and subtly corrupted data injected by anyone with an LLM and a blog comment form? A new paper published on arXiv on July 19, 2026 by researchers at the University of Washington and the Allen Institute for AI demonstrates that this scenario is not just possible but practical at web scale. The paper, authored by Victoria Graf, Hannaneh Hajishirzi, Noah A. Smith, David Kohlbrenner, and Kyle Lo, introduces a fundamental shift in how the AI industry must think about training data security.
Previous research on data poisoning assumed that an attacker needed direct access to training pipelines or the ability to corrupt established sources like Wikipedia. This paper shatters that assumption. The attack vector is far simpler and far harder to defend against: public discussion interfaces on millions of websites. Any motivated actor can generate AI content at scale, post it to blog comments, forum threads, and feedback forms, and let web crawlers do the rest. The content injected today may not surface in a training corpus for months, making attribution nearly impossible.
What Problem This Solves: The Blind Spot in AI Security
The AI security community has focused heavily on model-level attacks. Jailbreaks, prompt injections, adversarial examples, and alignment failures have received extensive attention and funding. But the supply chain that produces the models themselves has remained largely unexamined. The assumption has been that web-scale data is too vast and heterogeneous to poison at scale, and that existing data curation pipelines are sufficient to filter out malicious content.
The paper demonstrates that both assumptions are wrong. The authors introduce a new analytical framework called HalfLife that measures the probability of adversarial content surviving through every stage of the pretraining data pipeline: injection onto web pages, presence in crawled data, persistence through text extraction, and survival through data curation filters including heuristic filtering, language identification, and deduplication. The results are sobering.
The HalfLife Methodology: Measuring Poison Inclusion
HalfLife breaks the end-to-end poisoning pipeline into discrete stages. Stage A is injection: an adversary posts content to a public discussion interface on a third-party website. The paper finds that WordPress accounts for 85.2 percent of comment-accepting pages in Common Crawl, with generic web forms accounting for 27.5 percent. Many of these platforms allow comments without account creation, meaning there is no barrier to entry for an attacker with an LLM.
Stage B measures whether injected content survives web crawling and HTML extraction. The researchers validated through sandboxed experiments that user-submitted comments appear in plaintext in the static HTML of target pages, meaning standard web scrapers will capture them without distinction from primary page content.
Stage C measures survival through data curation pipelines including heuristic filters, language identification, and near-deduplication. The paper uses the AllDressed pipeline from Dolma 3 as its reference, which is representative of the pipelines used by major open-source and commercial model developers. The key finding: current filter pipelines do not distinguish between primary content and user-submitted fragments. A comment containing a question-answer pair survives the same filters as an article.
Key Results: Why 0.13 Percent Matters More Than It Sounds
The headline result is that the end-to-end probability of a single poison injection surviving into the final training corpus is 0.13 percent. That number sounds vanishingly small until you put it in context. Common Crawl comprises 97 percent of the documents used in Dolma 3, 100 percent of DCLM, and 100 percent of FineWeb. Poisoning 0.13 percent of Common Crawl documents impacts more data than all of Wikipedia, which accounts for just 0.067 percent of documents in Dolma 3.
An adversary who wants to inject n poisoned documents must attempt injection on n divided by the inclusion probability. Given the massive scale of comment-accepting pages across the web, an attacker with a single LLM generating content at a modest rate can achieve meaningful contamination. The paper establishes that third-party injection poisoning attacks can lead to poison inclusion at practical scale, exceeding known poisoning thresholds required to induce harmful behaviors in trained models.
The paper also identifies a particularly concerning asymmetry: attackers may strategically target domains in lower-resource languages where they can achieve greater saturation of poison relative to the total available text, making scalable poisoning attacks disproportionately effective against models serving underrepresented communities.
What This Means for Builders
For startup founders and developers building on top of pretrained models, the implications are immediate and uncomfortable. Every major open-source model released in the next year was likely trained on data crawled from the public web during the period when AI-generated propaganda began flooding discussion platforms at scale. There is currently no way to know which models may have been affected.
Three responses are clear. First, data provenance tools are becoming critical infrastructure. Startups that can provide verifiable chain-of-custody for training data, distinguishing primary content from user-submitted fragments, will fill a gap that the paper demonstrates is currently wide open. Second, model developers need to add comment-aware extraction to their data curation pipelines as a standard filter stage, treating user-submitted content differently from editorial content. Third, companies deploying models should begin auditing their training data for signs of systematic contamination, particularly for models trained on web crawls from 2025 onward when AI-generated content began reaching saturation on public discussion platforms.
The paper concludes with a warning that should resonate with every founder in AI: current data curation pipelines operate at the document level and do not distinguish between primary content and user-submitted fragments, leaving this attack surface entirely unaddressed. The mitigations the authors propose, including comment-aware extraction and fragment-level filtering, are not yet implemented in any major training pipeline. For the security minded builder, that is both a warning and an opportunity.

