Everything in this lesson, sourced.
Every incident, CVE, and research paper mentioned in LLM03:2025 — Supply Chain — traced back to where it came from.
Framework License
This lesson is built on the OWASP Top 10 for Large Language Model Applications (2025), released under Creative Commons Attribution-ShareAlike 4.0. Definitions, vulnerability categories, mitigation structure, and attack scenarios are drawn directly from this framework. Real-world incidents and research are independent factual reporting, cited individually below.
OWASP Top 10 for LLM Applications 2025 — LLM03: Supply Chain
OWASP Foundation · Released 2025 · CC BY-SA 4.0
Cited for: Core definition, 9 vulnerability categories, 10 mitigations, and the sample attack scenarios retold in Part 3 (#2, #8, #11, #13)
genai.owasp.org →
CVE-2025-10155 — PickleScan BypassCVSS 9.3 · Critical
picklescan ≤ 0.0.30 · File-extension-mismatch evasion · Fixed in 0.0.31 · Found by JFrog
Cited for: Scanner-bypass attack type and defense-in-depth / patching mitigations, slides 12, 21
NVD record →
CVE-2023-4969 — LeftoverLocalsCVSS 6.5 · Medium
GPU local-memory leak · Apple, Qualcomm, AMD, Imagination GPUs · Found by Trail of Bits (Tyler Sorensen)
Cited for: OWASP Scenario #8 — shared-infrastructure data recovery, slide 16
NVD record →
torchtriton — PyTorch Nightly Dependency ConfusionProject Disclosure
PyTorch · Dec 25–30, 2022 · Malicious PyPI package shadowed a private dependency; exfiltrated SSH keys, /etc/passwd, and home-directory files
Cited for: The opening story and dependency-confusion attack type, slides 1, 2, 9 (OWASP Scenario #1)
PyTorch disclosure →
Ultralytics YOLO — Compromised CI/CD Supply-Chain AttackReported Incident
PyPI Safety & Security blog · Dec 4–7, 2024 · GitHub Actions script injection injected an XMRig cryptominer into v8.3.41/42/45/46
Cited for: Poisoned-build-pipeline attack type and collaborative-environment monitoring, slides 10, 25
PyPI analysis →
~100 Malicious Models on Hugging FaceSecurity Research
JFrog Security Research · Feb 2024 · Pickle __reduce__ payloads — reverse shells and credential theft on model load
Cited for: Malicious-model-file attack type, slide 11
JFrog research →
Fake “OpenAI” Repo Tops Hugging Face — InfostealerReported Incident
BleepingComputer / HiddenLayer · May 2026 · Typosquat with verbatim-copied model card · loader.py → Rust infostealer · ~244K downloads (likely inflated), briefly #1
Cited for: Fake/abandoned-model attack type, slide 14
BleepingComputer →
Model Namespace ReuseSecurity Research
Palo Alto Networks Unit 42 · Sept 3, 2025 · Re-registering abandoned model names → RCE on Google Vertex AI and Azure AI Foundry
Cited for: “Trust by name” failure and pin-to-publisher defense, slides 14, 22
Unit 42 →
PoisonGPT — Hiding a Lobotomized LLM on Hugging FaceResearch Demo
Mithril Security · 2023 · ROME model editing on GPT-J-6B · ~0.1% benchmark difference · Catalogued as MITRE ATLAS AML.CS0019
Cited for: Direct model tampering, OWASP Scenario #2, slide 15
Mithril Security →
LeftoverLocals — Listening to LLM Responses via GPU MemorySecurity Research
Trail of Bits · Jan 16, 2024 · Technical writeup of CVE-2023-4969
Cited for: Shared-GPU data-recovery mechanics, slide 16
Trail of Bits →
DeepPayload: Black-box Backdoor Attack on DL Models via Neural Payload InjectionResearch Paper
Li, Hua, Wang, Chen & Liu · ICSE 2021 · arXiv:2101.06896 · 54 real Google Play apps found vulnerable
Cited for: On-device model swap, OWASP Scenario #11, slide 17
arXiv:2101.06896 →
Token-Level Generalization in LoRA Adapter BackdoorsResearch Paper
Travis Lelle · arXiv:2605.30189 · A small fraction of poisoned examples drives a clean-accuracy-preserving backdoor to saturation
Cited for: Vulnerable LoRA-adapter attack type and anomaly/robustness testing, slides 13, 26
arXiv:2605.30189 →