LoRA is a cheap way to customize a big model: instead of retraining it, you ship a small adapter file that nudges its behavior. Teams download community adapters constantly — they're tiny, convenient, and merged straight into a trusted base model. That convenience is the attack surface (OWASP LLM03 vulnerability #6).
The finding: researchers showed a shared LoRA adapter can be reliably backdoored with only a small fraction of poisoned training examples — driving the hidden trigger to near-total success while preserving clean-task accuracy, so the adapter looks completely normal.
Why it's dangerous: the poisoned adapter behaves correctly on normal inputs and on safety benchmarks. The malicious behavior only fires on the attacker's secret trigger, so ordinary evaluation never catches it.
The ecosystem risk: most teams consume third-party adapters rather than train their own — so the artifact you must vet is often the adapter itself, not just the base model.
Treat adapters as untrusted code: source them from verifiable providers, hash/sign them, and run adapter-specific backdoor detection before merging (Part 4).