In November 2024, OWASP released the 2025 edition of the OWASP Top 10 for LLMs — formally, the Top 10 for LLM Applications — reshuffling the list to push LLM03: Supply Chain Vulnerabilities and LLM04: Data and Model Poisoning ahead of flashier risks like jailbreaking. The timing wasn't accidental. Enterprise GenAI adoption jumped from pilot projects to production systems in under two years, and with it came a wave of incidents that had nothing to do with clever prompts: poisoned Hugging Face models, a hijacked PyTorch dependency, and fine-tuning pipelines pulling from unverified data sources. Security teams that built their AI defenses around prompt filtering are discovering the real exposure sits upstream — in the models, weights, plugins, and training data flowing into their systems. Competitors like Aqua Security have extended container and cloud-native scanning toward AI workloads, but scanning a container image tells you little about whether the model inside it was tampered with. This piece breaks down what the OWASP LLM Top 10 actually says, where it overlaps with traditional supply chain security, and where the gaps remain.
What Is the OWASP Top 10 for LLM Applications, and What Changed in the 2025 Update?
The OWASP Top 10 for LLM Applications is a community-maintained ranking of the most critical security risks in large language model systems, first published in August 2023 as version 1.0 and substantially revised in the version dated November 2024 (commonly called the "2025" list). The current ten categories are: LLM01 Prompt Injection, LLM02 Sensitive Information Disclosure, LLM03 Supply Chain, LLM04 Data and Model Poisoning, LLM05 Improper Output Handling, LLM06 Excessive Agency, LLM07 System Prompt Leakage, LLM08 Vector and Embedding Weaknesses, LLM09 Misinformation, and LLM10 Unbounded Consumption.
Two changes stand out. First, "Training Data Poisoning" was renamed and broadened into LLM04 to explicitly cover post-training and fine-tuning stages, not just the original dataset. Second, LLM08 (vector and embedding weaknesses) is entirely new, reflecting how fast retrieval-augmented generation (RAG) architectures were adopted between 2023 and 2024 — and how little scrutiny the embedding stores behind them received. OWASP's working group, which by 2024 included contributors from over 500 organizations, effectively signaled that the industry's risk model had shifted from "the model says something bad" to "the pipeline feeding the model was never verified."
Why Did Supply Chain Vulnerabilities Move Up the List?
LLM03 climbed because the components feeding an LLM application — base models, LoRA adapters, datasets, and plugins — are sourced the same way open-source packages are, with almost none of the same scrutiny. In February 2024, JFrog's security research team scanned public Hugging Face repositories and identified roughly 100 models containing malicious code capable of executing arbitrary commands on load, several using PyTorch's pickle format to smuggle payloads that would run the moment a data scientist called torch.load(). In December 2022, PyTorch's own nightly builds were compromised through a dependency confusion attack: a malicious package named torchtriton was uploaded to the public PyPI index with a higher version number than the legitimate internal package, and pip silently preferred it, exfiltrating SSH keys and environment variables from anyone who installed the nightly build during that window.
In June 2024, Trail of Bits disclosed "Sleepy Pickle," a technique for embedding malicious code directly inside a serialized model file that activates only after the model is unpickled — meaning a scanned, seemingly clean model can still weaponize itself at load time. None of these incidents involved a bad prompt. All three involved an unverified artifact entering a build or inference pipeline, which is exactly the failure mode LLM03 was written to describe.
How Is Prompt Injection Different From Traditional Injection Attacks?
Prompt injection is different because it exploits an LLM's interpretation of natural language rather than a fixed parsing grammar, so there's no single character to escape or sanitize the way you'd handle SQL injection. Indirect prompt injection is the harder variant: instructions hidden in a webpage, PDF, email, or Slack message get pulled into the model's context by a retrieval step and are then followed as if the user had typed them. In August 2024, researchers at PromptArmor demonstrated that Slack's AI assistant could be manipulated into leaking data from private channels through instructions planted in a public channel message — the user never saw the injected text, only the exfiltrated result. Microsoft's Bing Chat ("Sydney") suffered a related class of issue in February 2023, when users coaxed hidden system instructions out of the model through adversarial conversation.
LLM01 remains the most-cited category precisely because it has no complete fix: input filtering, output encoding, and least-privilege tool access all reduce the attack surface, but as long as an LLM treats retrieved content and user instructions as the same kind of text, some injection vector will exist.
Can Container and Cloud Security Platforms Like Aqua Security Actually Cover These Risks?
Partially — Aqua Security's platform, built around Trivy and its CNAPP suite, extends vulnerability and misconfiguration scanning to AI/ML workloads, including model files and the containers that serve them, and Aqua has published guidance mapping some of its detections to OWASP's LLM categories. Where it falls short is depth on the categories that matter most in the 2025 list. Trivy-style scanning is fundamentally CVE- and pattern-matching-driven: it's well-suited to catching a known-vulnerable package version inside an image layer, which addresses part of LLM03. It is not designed to verify model provenance (was this checkpoint actually built from the training run it claims to be?), to detect data or embedding poisoning in a vector store, or to enforce runtime policy on what an agent with tool access (LLM06: Excessive Agency) is permitted to do.
That gap matters because a container scanner evaluates the box a model ships in, not the integrity of what's inside it. A model file can pass every container and dependency check Aqua performs and still contain a Sleepy Pickle-style payload, a poisoned fine-tuning dataset, or a backdoored adapter merged in during a compromised training job. Cloud-native security posture management was built for infrastructure; the OWASP LLM Top 10 describes risks that live in the ML artifact supply chain sitting on top of that infrastructure — a layer general-purpose CNAPP tooling was never architected to inspect natively.
What Real Incidents Show These Risks Aren't Theoretical?
They aren't theoretical because production failures across all three major risk categories — data leakage, supply chain compromise, and excessive agency — have already occurred at well-known companies. In April 2023, Samsung engineers pasted proprietary semiconductor source code and internal meeting notes into ChatGPT to debug and summarize it, and the company subsequently banned generative AI tools on corporate devices after concluding the data had left its control — a textbook LLM02 sensitive information disclosure case caused entirely by employee workflow, not a model flaw. The JFrog Hugging Face findings (roughly 100 malicious models, February 2024) and the torchtriton PyPI compromise (December 2022) both demonstrate LLM03 in production open-source ecosystems that enterprise teams pull from directly. And multiple red-team exercises through 2024, including OWASP's own published testing guides, have shown that agentic LLM deployments granted broad tool permissions — file system access, code execution, outbound API calls — can be manipulated via injected instructions into taking actions well outside their intended scope, the core scenario behind LLM06.
The pattern across every incident is the same: the compromise entered through an artifact or a workflow, not through a jailbreak prompt crafted by a sophisticated attacker. That's precisely why OWASP restructured its list around supply chain and data integrity rather than purely conversational attacks.
How Safeguard Helps
Safeguard was built for exactly the layer that generic CNAPP tools like Aqua don't reach: the integrity of the artifacts that flow into and out of your software supply chain, extended to cover the models, datasets, and dependencies that make up a GenAI pipeline. Rather than treating an AI application as a container to be scanned once at build time, Safeguard maps controls directly onto the OWASP LLM Top 10 categories your team actually has to answer for in an audit or incident review.
For LLM03 (Supply Chain), Safeguard generates and verifies provenance attestations for models and their dependencies, so a checkpoint pulled from Hugging Face or an internal registry can be traced back to the training job, dataset version, and commit that produced it — the same SLSA-aligned approach Safeguard already applies to conventional software builds, extended to an AI-BOM (AI bill of materials) that inventories base models, adapters, and third-party weights alongside your open-source packages. For LLM04 (Data and Model Poisoning), Safeguard's pipeline gates flag unsigned or unverified model artifacts before they reach a fine-tuning or inference environment, closing the exact window that let a torchtriton-style dependency-confusion attack or a Sleepy Pickle payload execute unnoticed. For LLM02 (Sensitive Information Disclosure), secrets scanning extends into prompts, logs, and training data exports, catching the kind of credential or source-code leakage that drove Samsung's 2023 ban before it reaches an external API. And for LLM06 (Excessive Agency), policy enforcement in CI/CD constrains what tool integrations and service accounts an agentic workflow can invoke, rather than relying on the model to police its own permissions.
Where Aqua and similar CNAPP platforms give you visibility into the containers and known CVEs surrounding your AI workloads, Safeguard gives you the chain-of-custody evidence for the models and data inside them — the part of the OWASP Top 10 for LLMs that container scanning alone was never built to answer.