Understanding Large Language Model Supply Chain: Structure, Domain, and Vulnerabilities
Yanzhe Hu, Shenao Wang, Tianyuan Nie, Yanjie Zhao, Haoyu Wang
TL;DR
This paper provides the first empirical study of the Large Language Model Supply Chain (LLMSC), focusing on open-source components from PyPI and NPM across 14 functional domains. It builds a comprehensive directed dependency graph (61,965 nodes, 26,736 edges) and ingests 180 vulnerabilities to analyze structure, domain composition, and security risks. The study reveals a locally dense, globally sparse topology dominated by high-degree hub packages, with vulnerability cascades concentrated in early dependency layers and significant inter-tree sharing via 2,767 shared nodes and 311 shared paths. It also shows that domains are heavily influenced by Plugins/External Tools and LLM Inference, with characteristic domain transitions shaping LLMSC workflows, and identifies bridge nodes with outsized influence on risk propagation. The findings offer a foundational understanding of LLMSC resilience and provide actionable directions for securing dependency networks and guiding future research on open-source supply chain security for LLM ecosystems.
Abstract
Large Language Models (LLMs) have revolutionized artificial intelligence (AI), driving breakthroughs in natural language understanding, text generation, and autonomous systems. However, the rapid growth of LLMs presents significant challenges in the security and reliability of the Large Language Model Supply Chain (LLMSC), a complex network of open-source components, libraries, and tools essential for LLM development and deployment. Despite its critical importance, the LLMSC remains underexplored, particularly regarding its structural characteristics, domain composition, and security vulnerabilities. To address this gap, we conduct the first empirical study of the LLMSC, analyzing a curated dataset of open-source packages from PyPI and NPM across 14 functional domains. We construct a directed dependency graph comprising 15,725 nodes, 10,402 edges, and 180 unique vulnerabilities to investigate the structural characteristics of the LLMSC and analyze how security risks propagate through its dependency network. Our findings reveal that the LLMSC exhibits a ``locally dense, globally sparse'' topology, with 79.7% of dependency trees containing fewer than 5 nodes, while a few large trees dominate the ecosystem, accounting for 77.66% of all nodes. The graph is characterized by high-degree hubs, with the top 5 most connected nodes averaging 1,282 dependents each. Security analysis shows that critical vulnerabilities propagate to an average of 142.1 nodes at the second layer of dependency trees and peak at 237.8 affected nodes at the third layer. Notably, cascading risks are concentrated in critical hub nodes such as transformers, which directly or indirectly affect over 1,300 downstream packages. These findings provide quantitative insights into the structural and security dynamics of the LLMSC and emphasize the need for targeted mitigation strategies to enhance ecosystem resilience.
