OWASP LLM Top 10 · LLM03

Supply Chain

Risk you inherit from third-party models, datasets, adapters and plugins you never built.

LLM03OWASP LLM Top 10AI red-teaming

What it is

Few teams train their own model. You assemble one: a base model from a provider, perhaps a fine-tune or LoRA adapter, embeddings, datasets, plugins and SDKs. Every link is a dependency, and you inherit its risk. A tampered adapter, a poisoned dataset, a malicious or abandoned plugin, or a model whose licence and provenance you cannot actually account for.

How it shows up in real apps

A fine-tune or adapter pulled from a public hub with no integrity check.
Third-party 'tools/plugins' the agent can call that are themselves untrusted code paths.
Vulnerable client libraries and SDKs in the serving stack.
No record of which model version and data produced a given behaviour, which becomes a problem the moment a regulator or customer asks.

A concrete example

Scenario

A team adds a community LoRA to improve tone, downloaded from a public repo.

Attack

The adapter was tampered with to bias certain outputs or weaken refusals under a trigger phrase.

Result

Behaviour silently shifts in production with no obvious cause, and there is no provenance trail to diagnose it.

How we test for it

Supply-chain review is part testing, part inventory. We look at where models, adapters, datasets and plugins come from, whether they are integrity-checked and version-pinned, and whether the agent can reach third-party tools that act as unvetted code paths. We then probe those plugin and tool boundaries the same way we probe the model.

How to reduce the risk

Pin and integrity-check models, adapters and datasets, and record provenance (version, source, hash).
Vet plugins and tools as you would any dependency. Treat each as an untrusted execution surface.
Keep an SBOM-equivalent for the AI stack so you can answer 'what changed?' after an incident.
Prefer providers and artefacts whose licence and data lineage you can document.

EU AI Act: commonly maps to Art. 15 (robustness) and quality-management / record-keeping duties. Redproof reports findings as independent testing evidence, not a conformity verdict.

Test this on your own AI before someone else does

Redproof is independent red-teaming for LLM and AI-agent products. We probe your system for supply chain and the rest of the OWASP LLM Top 10, hand you severity-ranked findings with reproductions, fixes, and EU AI Act mapping, and re-test after you patch. That is the evidence your self-assessment needs, before a regulator or customer asks.

Hire a red team See a sample report

← LLM02 Sensitive Information Disclosure LLM04 Data and Model Poisoning →