LLM032026-06-04llm03-supply-chain.md

LLM03:2025 Supply Chain - Simple Explanation

Supply chain risk means your AI app can be hurt by something you depend on. That dependency might be a Python package or a model file or a dataset or a LoRA adapter or a cloud platform.

Think of it like buying parts for a machine. Your own assembly can be careful. But if one part arrives with a hidden defect the whole machine can fail. In AI the hidden part may be a model weight file or training data or an adapter from a model hub.

$ trace llm03.supply-chain

supplier package / dataset / model / adapter

AI stack training / fine-tune / inference / gateway

user impact bad output / data leak / malware

the model is part of the supply chain trust moves through every dependency one weak link can spread

Why this is different

Classic application security already worries about vulnerable libraries and outdated dependencies. LLM apps add a new layer. You may also depend on pre-trained models and fine-tuning adapters and model conversion services and external AI gateways.

This matters even if you do not train your own model. If your app calls a third-party model through a proxy or middleware then that proxy is part of your supply chain too.

Where risk enters

PackagesOld or vulnerable libraries can compromise an LLM app.

LicensesSoftware and dataset terms can create legal risk.

Old modelsDeprecated models may stop receiving fixes.

Pre-trained modelsA model can hide bias or backdoors or malicious behavior.

Weak provenanceModel cards do not prove where a model really came from.

LoRA adaptersA small adapter can change the behavior of a trusted base model.

Shared workflowsModel merge and conversion services can become attack paths.

On-device modelsMobile or edge apps can be repackaged with tampered models.

Terms and privacyA supplier may use app data for training in ways you did not expect.

LLM03 versus LLM04

LLM04 focuses on data and model poisoning itself. LLM03 focuses on how the bad artifact enters your stack. The same attack may touch both risks. The boundary is about the path of trust.

LLM03 supply chain

How a bad model or adapter or package gets accepted by your system.

LLM04 poisoning

How training data or model behavior gets corrupted.

Attack patterns

Vulnerable libraryA Python dependency lets attackers compromise the AI app.

PoisonGPT style tamperingA model is changed directly so it spreads false answers.

Benchmark evasionA model scores well on tests but hides targeted triggers.

Malicious adapterA LoRA adapter changes a base model after it is merged.

Cloud platform attackFirmware or cloud control issues expose model platforms.

GPU memory leakLeftover local memory can reveal sensitive model activity.

Name squattingA fake model uses a trusted name after the real one disappears.

Mobile repackagingAn app is rebuilt with a tampered model and sent to users.

Unsafe model loading

One common danger is treating a model file like passive data. Some model formats or loading paths can execute code during load. The classic warning pattern is a pickle file that runs a reverse shell through a special reduce method when the server loads it.

$ inspect model-artifact

download unverified model file

load server trusts artifact

execute malware or hidden behavior

How to defend against it

Vet suppliersReview data sources and model providers and their policies.

Use provenance checksPrefer verifiable sources and signed artifacts and hashes.

Keep an inventoryTrack packages and datasets and models with SBOM or AI BOM records.

Patch dependenciesScan and update libraries and model serving infrastructure.

Red team modelsTest third-party models for the exact use case you plan to ship.

Monitor shared workflowsAudit merge and conversion environments for abuse.

Manage licensesTrack software and dataset rights before commercial use.

Protect edge modelsUse encryption and integrity checks and device attestation.

Legal and compliance risk

Supply chain risk is not only technical. A model or dataset can carry license duties that affect distribution or commercial use. A supplier can also change its terms and start using application data for training. That can create privacy and compliance problems.

This is why AI BOMs and model provenance are becoming important. Teams need to know what they run and where it came from and what rules apply to it.

Framework mapping

OWASP maps this risk to MITRE ATLAS AML.T0010 - ML Supply Chain Compromise. Unsafe model artifact cases also relate to techniques around malicious model artifacts and unsafe ML serialization.

One sentence: LLM03 is the risk that a model or adapter or dataset or package you trusted was already compromised before it reached your app.

Copyright and source notes

No third-party images are embedded in this post. The diagrams above are original HTML/CSS illustrations made for promptexploit. The factual risk description and mitigation categories are based on the official OWASP LLM03 page.

Official OWASP LLM03 page: genai.owasp.org/llmrisk/llm032025-supply-chain
Official OWASP LLM Top 10 page: genai.owasp.org/llm-top-10