Chinese AI models raise 'sleeper agent' fears after report finds more vulnerable code for US users

Chinese AI models used to write code may be creating a hidden security risk for U.S. companies, federal officials and government contractors, per a new report published by a major defense contractor specializing in cyber security.

Chinese models are generally cheaper than their Western counterparts and work well enough to keep companies interested, a dynamic that has led to increased adoption in the United States and put some policymakers and national security experts on edge.

"I'd say there's an 80% chance they're using a Chinese open-source model," Martin Casado, a general partner at the major venture capital firm Andreessen Horowitz, said in November 2025 when asked about their prevalence among start ups. Major U.S. firms such as Meta, Airbnb and Perplexity are also reportedly using Chinese models.

"The first link in the software supply chain is no longer the code. It's the AI models behind it," the Booz Allen report reads. "As U.S. developers increasingly rely on AI to generate, debug, and secure code, we must confront a fundamental question: can the AI models writing and powering our nation's code be trusted?"

Qwen and MiniMax both produced code with significantly more vulnerabilities, increases of 130% and 20%, respectively, when they believed they were doing work for U.S. government employees as compared to a general prompt. DeepSeek, meanwhile, saw an increase of just 5% while Kimi produced code of a similar quality.

This means a government contractor relying on one of these models could unknowingly introduce coding flaws that make databases, applications or internal systems easier for hackers to exploit, potentially exposing sensitive American information.

The findings have drawn comparisons to so-called "sleeper agent" behavior where AI models appear to operate normally until exposed to a specific trigger that causes them to produce lower quality, or even deliberately insecure, outputs.

Experts interviewed by Fox News Digital expressed a range of opinions on Booz Allen's findings.

"While the raised risk categories are understandable, the report's stronger claims are not fully supported as presented," Lukasz Olejnik, a technology consultant who works as a senior research fellow at King's College London, told Fox News Digital. "The report underplays the complexity of the issue."

If Booz Allen's report were accurate, and if code written by Chinese models had made its way into the American supply chain, it would make it easier for hackers to get their hands on data that could imperil national security or infringe on the privacy of everyday Americans.

Booz Allen claims that "testing model behaviors by introducing specific context is a best practice in both defensive and offensive evaluations."

While Olejnik agreed that "model outputs can shift under variety of prompts," he added that "insufficient evidence has been posted to verify the causal claims or generalize them to Chinese LLMs as a class."

Lenart Heim, an independent researcher specializing in AI and semiconductors, was more open to Booz Allen's findings.

"It seems like a credible study, and I don't find the overall findings incredibly surprising," the researcher told Fox News Digital.

In the Booz Allen study, he explained, identifying oneself as a U.S. government agent was presented as such a trigger. Heim, however, said that he found it "pretty implausible that the Chinese developers intentionally implemented sleeper agents with these specific triggers," suggesting that the increased code insecurity was a side effect of broader "CCP-aligned fine-tuning" and that "the security differential they found is probably not that large in practice."

"It is certainly possible to implement sleeper agents in these models for specific situations to write insecure code," he went on. "You might think: 'Well, I won't tell the model I'm in the US government - I'll just ask it to write code.' But as we move toward more agentic use, there will be lots of contextual information automatically fed to the model. You might give it an existing codebase, and that codebase often has a license header at the top that reveals which company or government agency it belongs to. That context could activate degraded behavior."

Booz Allen's analysts used both manual verification and automated checks to quantify the number of vulnerabilities in programs produced by each model.

A representative for Booz Allen told Fox News Digital that their team accessed the Chinese models online rather than using downloading them directly to their machines and running them locally. Heim said that Chinese models accessed in this way may be more prone to bias.

The report also found that Chinese LLMs refused to perform tasks that could conflict with the interests of the Chinese government at significantly higher rates than Claude. Similar tests performed by others have netted similar results.

Booz Allen recommended that the United States government take action to ban Chinese models for use on government or infrastructure work and recommended that contractors involved in such sectors, as well as the tech community generally, proactively work to remove code generated by such models from their supply chains. 

"A lower-cost model may look attractive upfront, especially for startups or cost-constrained engineering teams," the report reads. "But that same model can become more expensive over time if it generates vulnerable code, creates uncertainty around data handling, or introduces behavior that standard enterprise controls do not easily catch."