Summary

Adds a new attack scenario (Scenario #14) to LLM03 covering compromise of an organization's own CI/CD pipeline producing tampered model artifacts at build time.

Motivation

The existing 13 scenarios in LLM03 all treat the supply chain risk as originating from an external component (third-party package, public model, upstream dataset, collaborative merge service, etc.). None cover the case where the organization's own build pipeline is compromised and produces a tampered artifact that passes provenance and attestation checks precisely because it was signed by the trusted internal release infrastructure.

This attack class has well-known analogues in traditional software supply chains (xz-utils, Codecov, SolarWinds). The equivalent attack surface exists for ML pipelines wherever model artifacts are built, signed, and deployed automatically without model-specific integrity controls. Given the growing use of internal fine-tuning pipelines and CI/CD-driven model releases, this scenario seems worth calling out explicitly in the supply chain threat model.

Scope

• One new scenario appended as Scenario docs: include metadata for sprint2 analysis #14. No other changes.
• Matches the existing scenario format and length.
• Happy to expand into a matching entry in the Prevention and Mitigation Strategies section if reviewers want that in this PR or as a follow-up.