PHANTOM: a 47k-sample dataset for stress-testing vision-language model safety
A June 2026 paper releases PHANTOM, an open dataset of 47,524 pre-generated multimodal adversarial samples across 55 harm subcategories — built to make VLM robustness evaluation reproducible and cheap.
What is this?
In June 2026, researchers released PHANTOM, an open-source dataset of pre-generated multimodal adversarial attacks aimed at vision-language models (VLMs). The dataset bundles 47,524 adversarial samples spanning 10 high-level harm categories and 55 subcategories, built on top of 7,826 harmful intents consolidated and extended from earlier benchmarks. It is published on Hugging Face for anyone to download.
The point of PHANTOM is not a new attack. It is infrastructure. Generating large batches of multimodal adversarial examples is expensive and fiddly — you need the attack code, the compute, and the reference intents. PHANTOM pre-computes that work and hands it to the community as a reusable evaluation set, so a defender can measure how a VLM behaves against a broad, representative slice of image-plus-text attacks without rebuilding the attack pipeline first. We cover it because reproducible, shared evaluation sets are exactly what the defensive side of multimodal security has been missing.
How it works
A VLM takes an image and text together and reasons over both. That second input channel — the image — is an attack surface that text-only guardrails often do not watch. Adversarial content can hide in pixels (imperceptible perturbations), in rendered text inside an image, or in the combination of a benign-looking picture and a benign-looking prompt that only becomes harmful when fused. This is the same class of problem covered in image-only prompt injection and visual prompt injection that bypasses guardrails.
PHANTOM is a dataset, not an exploit kit, so what matters here is its structure rather than any payload:
Layer PHANTOM contents
--------------- ---------------------------------------------------
Intents 7,826 harmful-intent seeds, consolidated from
multiple prior benchmarks + one added category
Taxonomy 10 high-level categories / 55 subcategories of harm
Samples 47,524 pre-generated multimodal adversarial examples
Method Attacks produced with state-of-the-art strategies
drawn from recent published literature
Use Robustness scoring, guardrail stress-testing,
training/fine-tuning attack-detection models
Two design choices give it defensive value. First, the taxonomy means a defender can report robustness per harm category instead of as one blurred average — a model can be solid on one class and soft on another, and a flat score hides that. Second, because the samples are pre-generated and shared, two teams can run the same inputs against different models and get comparable numbers, which is the property that turns anecdotes into benchmarks. The authors frame the whole effort as lowering the barrier to adversarial research and making VLM safety evaluations more reproducible and comparable — a direction echoed in the broader survey literature on multimodal attacks.
Why it matters
Multimodal deployments are shipping faster than the evaluation tooling around them. A VLM wired into a browsing agent, a document pipeline, or a customer-support flow inherits every image it is asked to look at as untrusted input, and most safety testing to date has leaned heavily on text prompts. A large, categorized, openly available adversarial set changes the economics of testing: robustness measurement becomes something a mid-sized team can do before shipping, not a research project in its own right.
There is a dual-use tension worth naming. The same 47k samples that let defenders stress-test a guardrail can, in principle, be used to fine-tune attack-generation models — the paper lists that among the use cases. But the samples are consolidated from already-public benchmarks and generated with already-published techniques; the marginal capability handed to an attacker is small, while the marginal capability handed to defenders and evaluators is large. Shared, standardized test sets have repeatedly moved security forward precisely because both sides can see the same yardstick.
Defenses
A dataset like this is only useful if it feeds a process. Treat it as an evaluation input, not a checkbox.
-
Benchmark before you deploy, and per category. Run a representative slice against your VLM and report robustness by harm subcategory. A single averaged pass rate will hide the classes where your model is weakest.
-
Guard the image channel explicitly. Assume text-only input filtering does not see attacks carried in pixels or rendered text. Add image-aware moderation and OCR-plus-policy checks on visual content before it reaches the model.
-
Re-test after every model or prompt change. VLM behavior shifts with fine-tunes, system-prompt edits, and version bumps. A fixed, shared set lets you detect regressions instead of discovering them in production.
-
Separate untrusted media from instructions. Apply information-flow controls so image content is treated as data, never as commands — the same contextual-integrity principle that applies to text.
-
Track your own residual rate over time. The number that matters is not “we tested” but “what fraction still gets through after our defenses” — and whether that fraction is trending down release over release.
Status
| Item | Reference | Date | Notes |
|---|---|---|---|
| PHANTOM dataset paper | arXiv:2606.24388 | 2026-06 | Open dataset, 47,524 multimodal adversarial samples |
| Taxonomy | Paper | 2026-06 | 10 categories / 55 subcategories, 7,826 intents |
| Distribution | Hugging Face (it4lia/PHANTOM) | 2026-06 | Publicly downloadable |
| Context | Multimodal-attack survey (arXiv:2603.27918) | 2026-03 | Broader landscape of VLM adversarial methods |
The takeaway is not that VLMs are newly broken — the image channel has been a known weak spot. The takeaway is that measuring how broken, per harm class and in a way another team can reproduce, just got a lot cheaper. That is the kind of shared artifact a security team should fold into its pre-deployment checklist for any model that accepts images.