Neuroimprint detector audits PEFT adapters

Neuroimprint-detector 0.1.0, a Python package, audits PEFT adapters for the NeuroImprint backdoor [Dev.to]. It loads adapters from disk or the Hugging Face Hub, flags identical rows of the weight matrix W₂, checks bias b₂ for quantile-aligned intervals, and looks for a rank-1 fingerprint (RaLU) [GitHub]. The tool supports BERT, GPT-2, Qwen2-1.5B, and Llama 3-3B. Reconstruction fidelity varies by optimizer: SGD-trained adapters achieve 77.4% (BERT) to 75.0% (Llama 3) reconstruction with semantic similarity > 0.99, while AdamW drops to 74.6% (BERT) and 0.767 similarity. The NeuroImprint attack, demonstrated by Shi et al. (2026), lets a malicious aggregation server corrupt a LoRA adapter so that the adapter memorizes raw training rows [Dev.to]. After fine-tuning, the attacker can reconstruct 59-79% of the original samples by reading the adapter weights alone. Auditing adapters before they are uploaded gives data owners a concrete line of defense: a backdoored adapter is rejected, and the recovered samples can be reported for compliance audits. The detector also provides a reproducible benchmark for future privacy-preserving FL research, forcing server-side attackers to expose their leakage in a measurable way. By integrating the detector into the FL aggregation pipeline, corrupted adapters can be filtered in real time, not after the fact.