LLM Supply Chain Vulnerabilities
detect, understand, remediate

Foundation model and fine-tuned checkpoint

The base model from a public registry (Hugging Face, vendor model hub, internal mirror) plus any fine-tuned variant the team trained or downloaded. The artefact is a multi-gigabyte file. The bytes carry the weights, but the file format can also carry code that runs on load: pickle files execute arbitrary Python at deserialisation, custom safetensors loaders may read metadata as code, GGUF readers shipped with model servers have had CVE history. The artefact identity is the file hash, the publisher signature, the model card pointer, and the licence record.

LoRA, adapter, and quantised variant

A small file that modifies a base model behaviour. LoRA adapters, quantised variants (GPTQ, AWQ, GGUF Q4_K_M), and merged checkpoints typically come from community contributors. The artefact may be a few megabytes, easy to share, and trivial to swap. A planted adapter that activates a behavioural trigger on a specific token sequence does not need a foundation-model-level compromise; the adapter alone is enough.

Embedding model and tokenizer

The pieces that turn text into vectors and back. Embedding models ship as model files with the same integrity question as the foundation model. Tokenizers ship as JSON or binary files that the runtime trusts to map token IDs back to text. A tampered tokenizer can re-route specific token IDs, leak chosen substrings, or break the safety filter the application code relies on without changing a line of application source.

Model card, dataset card, and licence

The structured documentation that ships alongside the artefact. The model card declares training data, evaluation results, intended use, limitations, and known risks. The dataset card declares provenance, licence, and content classes. A model card that misrepresents training data, omits known risks, or claims a licence that does not apply transfers the legal and security risk to the consumer without warning. The card is part of the supply chain, not metadata around it.

Inference SDK and model server runtime

The runtime stack between the application and the model: the inference SDK (Anthropic, OpenAI, vendor SDK, open-source clients), the local model server (vLLM, TGI, llama.cpp, Ollama, LM Studio backends, Triton), the orchestration helper, the tool-call library, and the agent framework. Each ships dependency trees of its own, each can carry CVEs, and each can ship a vulnerable transitive package that lands inside the production serving worker.

Plugin, tool, and extension package

The packages the agent loads to call external tools. A plugin manifest, a function-calling tool registry, a Model Context Protocol server package, or a community plugin distribution lists code the agent will run during a session. A compromised plugin executes inside the agent context with whatever credentials and network access the agent holds. The plugin is supply chain even when the agent never reaches a model.

Training pipeline tooling and evaluation harness

The build tools the team operates: the fine-tune script, the data-preparation pipeline, the evaluation harness (lm-evaluation-harness, custom evaluation packs), the experiment tracker, and the artefact uploader. Compromise here turns a clean dataset into a tainted artefact, a passing evaluation into a misleading pass, or a fine-tune into a tampered checkpoint uploaded to the registry as if it were clean.

Deployment artefact and serving container

The final shape that runs in production: the container image, the deployment manifest, the init script, the model-loader entry point, and the runtime configuration. A base image with a poisoned dependency, an init script with a piggybacked download step, or a model-loader entry point that pulls an artefact from a writable cache replaces the integrity envelope at the last step before serving.

Treating model artefacts as inert data

The team treats a checkpoint as a static binary blob and a tokenizer as a JSON map. The reality is that model file formats can carry executable code (pickle), and tokenizer files are trusted by the runtime to map input tokens to text. Both are artefacts that need the same supply chain rigour as a compiled library: hash pin, signature verify, source allow-list, change record.

No inventory of AI artefacts in production

The team can list its production application dependencies but cannot list the foundation model, the fine-tunes, the LoRA adapters, the embedding model, the tokenizer, the inference SDK, the model server, the plugin set, and the model card pointers that actually ship into serving workers. Without the inventory there is no control surface to apply.

Pulling from any registry the build host can reach

The build infrastructure has outbound access to any public registry, any community repository, any model hub account, and any package index. There is no allow-list of approved namespaces, no per-namespace policy, and no content-hash pin in the manifest. The path of least resistance becomes the path of compromise.

Model loaders that deserialise untrusted code

A model loader accepts a pickle file, an older PyTorch state_dict, a legacy custom format, or a model file with custom code that the loader silently executes during load. The team picked the loader for performance or convenience and inherited a deserialisation surface that has CVE history.

Fine-tune approvals that do not record provenance

A fine-tune job runs from a shared bucket or a script someone wrote. There is no named approver, no recorded provenance for the base model, the fine-tune dataset, the training script version, the evaluation set, and the publisher of the resulting artefact. Once the artefact is published to the internal registry it looks the same as any other approved checkpoint.

Plugins and tools adopted without security review

An engineer adopts a community plugin, a Model Context Protocol server, an agent framework extension, or a tool-call library because it solves a problem in a sprint. The plugin enters the production agent context with whatever credentials and network access the agent holds. There is no review of the plugin source, the plugin dependency tree, the plugin publisher reputation, or the plugin update channel.

Automated detection

• SecPortal code scanning runs Semgrep SAST and dependency analysis against connected GitHub, GitLab, and Bitbucket repositories. Findings surface in model-loader call sites that deserialise untrusted formats, build manifests that pull AI artefacts from any registry without a content-hash pin, inference SDK and model server pins that lag behind published CVEs, and tool-call or plugin registrations that load packages from unallow-listed namespaces
• External scanning enumerates exposed inference endpoints, public model-server admin surfaces, leaked artefact directories, accidentally public model registries, and debug routes that disclose the inference SDK version or the model server build, so a publicly visible supply chain gap (unpatched model server, exposed management API, version banner pinned to a vulnerable build) lands as a finding before an external researcher writes the writeup
• Authenticated scanning drives the deployed AI feature with probes against the agent tool path: requests that exercise the plugin or tool registry, requests that try to invoke a plugin outside the documented allow-list, requests that exercise the agent network access boundary, and requests that test the model-server management plane for any plugin-or-tool registration surface that bypasses authentication
• Continuous monitoring re-runs the artefact integrity check on the configured cadence. A model upgrade, a new fine-tune publication, an inference SDK bump, a model server update, a plugin adoption, or a deployment manifest change that re-opens a previously closed supply chain finding surfaces against the baseline rather than waiting for the next supply-chain audit
• Bulk finding import accepts CSV intake from dedicated AI artefact scanners, model file format scanners, model card validators, AI BOM generators, and software composition analysis tools that emit AI-aware output, so external scanner results land on the same engagement record as the SecPortal-driven probes with one CVSS 3.1 calibration applied across the LLM03 finding chain

Manual testing

• Produce the AI artefact inventory for the feature: the foundation model and version, the fine-tunes, the LoRA adapters, the embedding model, the tokenizer, the inference SDK and version, the model server and version, the agent framework, the plugin and tool registrations, and the deployment artefact (container image and tag), with a hash pin and a source registry reference per entry
• Walk the build pipeline and confirm a content-hash pin and a publisher signature verification step exist at every artefact pull. Pull a known mismatch (a wrong hash, an unsigned artefact, a typosquatted namespace) into a build branch and confirm the pipeline blocks before the artefact reaches a deployable bundle
• Review the model-loader code path and confirm the loader refuses unsafe file formats (raw pickle without sandboxing, custom formats that execute code on load). If the application has a legacy model in pickle form, confirm the load step runs in an isolated process with no production credentials and no production network access
• Review every LoRA, adapter, quantised variant, and merged checkpoint in production for source, publisher attestation, hash pin, and security review record. Replay the inventory against a known list of upstream changes since the last review and surface every artefact that moved without a recorded approval
• Validate the model card and dataset card for every artefact. Confirm the declared training data, the declared licence, the declared known risks, and the declared evaluation evidence match the upstream publisher record and the engineering team understanding of how the artefact is used
• Walk the inference SDK, the model server, the orchestration helper, the tool-call library, the agent framework, and the experiment-tracker SDK against the current CVE feed. Record every transitive dependency with an unpatched CVE that reaches the production serving worker
• Review every plugin, tool, and Model Context Protocol server package the agent loads. Confirm an explicit allow-list, a per-plugin source review, a per-plugin dependency review, a per-plugin publisher attestation, and a documented update channel for each entry

Finding with the artefact identity and integrity envelope

The finding captures the artefact identity (file name, content hash, source registry, publisher namespace, model card or dataset card pointer, licence record), the integrity check that failed (no hash pin, wrong hash, unsigned, signature outside the pinned key set, deserialisation surface, unpatched CVE in transitive dependency), and the deployment context the artefact reached (build branch, container image tag, serving worker, agent context). AppSec, ML platform, product security, vendor risk, and GRC read the same record the engineering team uses to ship the fix.

Code scanning across model loaders, build manifests, and tool registries

Code scanning runs Semgrep SAST and dependency analysis against connected GitHub, GitLab, and Bitbucket repositories. Findings surface at model-loader call sites that deserialise untrusted formats, build manifests that pull AI artefacts from unallow-listed namespaces or without a content-hash pin, inference SDK and model server pins that lag behind published CVEs, and tool-call or plugin registrations that load packages outside the approved allow-list.

External scanning across exposed AI infrastructure

External scanning enumerates exposed inference endpoints, public model-server admin surfaces, leaked artefact directories, accidentally public model registries, and debug routes that disclose the inference SDK version or the model server build. A publicly visible supply chain gap (unpatched model server, exposed management API, version banner pinned to a vulnerable build) lands as a finding before an external researcher writes the writeup.

Authenticated scanning against the agent tool path

Authenticated scanning drives the deployed AI feature with probes against the agent tool path: requests that exercise the plugin or tool registry, requests that try to invoke a plugin outside the documented allow-list, requests that exercise the agent network boundary, and requests that test the model-server management plane for plugin-or-tool registration surfaces that bypass authentication. Each finding ties the response to the artefact that allowed the call.

Continuous monitoring against artefact drift

Continuous monitoring re-runs the artefact integrity check on the configured cadence. A model upgrade, a new fine-tune publication, an inference SDK bump, a model server update, a plugin adoption, or a deployment manifest change that re-opens a previously closed supply chain finding surfaces against the baseline rather than waiting for the next supply-chain audit.

Bulk import for AI artefact scanners and BOM tooling

Bulk finding import accepts CSV intake from dedicated AI artefact scanners, model file format scanners, model card validators, AI BOM generators, and software composition analysis tools that emit AI-aware output. External scanner results land on the same engagement record as the SecPortal probes with one CVSS 3.1 calibration applied across the LLM03 finding chain.

Document management for the canonical inventory

Document management stores the AI artefact inventory, the allowed-registry list, the allowed-publisher namespace list, the pinned signing key set, the model loader policy, the model card and dataset card per artefact, the fine-tune approval record, the plugin allow-list, the AI BOM, and the regulatory mapping per finding. Each artefact attaches to the finding so the auditor reads the operating record the engineering programme runs against.

Retest after the remediation ships

Once the fix deploys (the build manifest pins the artefact, the publisher signature verifies against the pinned key, the model loader refuses unsafe formats, the inference SDK or model server lands at the patched version, the plugin enters the documented allow-list, or the fine-tune publishes through the approval workflow), a targeted retest replays the integrity envelope check and records the post-fix result on the finding. The finding closes against the evidence rather than against a developer assertion.

AI-assisted writeups within verified scope

AI reports generate the writeup, the executive summary, and the developer-facing reproduction steps from the finding record. The narrative stays within the verified evidence on the finding (the artefact identity, the integrity envelope, the deployment context, the regulatory mapping) and does not invent signing services, sandboxes, or runtime tooling the product does not have.

Compliance tracking pairs the fix to control evidence

Compliance tracking maps LLM03 findings to the controls that read against them: OWASP LLM Top 10 LLM03, OWASP AISVS supply chain chapters, NIST AI RMF Map and Manage, ISO/IEC 42001 AI lifecycle and third-party risk, EU AI Act Article 15 cybersecurity, NIST SSDF PS.1 to PS.3 and PO.5, NIST SP 800-218A SSDF for AI, NIST SP 800-161 cyber supply chain risk, ISO 27001 Annex A 5.20 to 5.23 supplier relationships and A.8.30 outsourced development.