✓What supply chain risk is — in plain English and in OWASP's definition: third-party components you didn't make but still trust
✓Why it applies even if you “just call an API” — your proxy, gateway, and their dependencies are your supply chain
✓The six links in the chain: packages, models, adapters, datasets, plugins, and infrastructure
✓6 attack types — each anchored to a real, confirmed incident
✓torchtriton (Dec 2022) — dependency confusion against PyTorch nightly
✓Ultralytics (Dec 2024) — a poisoned CI/CD pipeline shipping a cryptominer
✓Malicious pickle models on Hugging Face (JFrog) and the PickleScan bypass (CVE-2025-10155, CVSS 9.3)
✓Backdoored LoRA adapters and the fake-OpenAI repo (244K downloads) — trust by name is not trust
✓OWASP's scenarios: PoisonGPT, LeftoverLocals (CVE-2023-4969), on-device model swaps (DeepPayload), and shifting T&Cs
✓All 9 mitigations — what OWASP says, which real incident each closes, how to do it right, and how to validate