.jpg)
“LLM Supply Honeypots” are instrumented repositories deployed across open-source ecosystems to detect and study model poisoning. By embedding unique markers and tracking how AI models reproduce them, enterprise Supply Chain tools can identify compromised LLM checkpoints before they reach developer environments.
Traditional honeypots detect active attacks, they wait for humans or malware to interact.
But LLM Supply Honeypots invert the paradigm: instead of catching intruders after compromise, they detect AI poisoning activity at the source by laying digital traps inside public training and code ecosystems.
This is critical because large language models (LLMs) are now trained or fine-tuned on massive open-source datasets, where even a few strategically placed poisoned repositories can contaminate downstream models or developer outputs.
LLM Supply Honeypots embed traceable watermark payloads in synthetic repositories, enabling model-centric telemetry that detects when AI systems ingest or replicate compromised code patterns.
Core Components:
2.1 Decoy Repository Fabrication
- Deploy synthetic open-source repositories containing legitimate, high-quality code with concealed semantic watermarks.
- Each repo mimics a realistic development pattern, e.g., a microservice template, utility library, or data-processing pipeline.
- Repositories are distributed across multiple ecosystems (GitHub, HuggingFace, PyPI, NPM, DockerHub) to test ingestion diversity.
Design Characteristics:
- Commit histories mimic natural contributor graphs (multiple committers, staged commits, plausible readme narratives).
- Libraries contain non-executable metadata markers hidden in:
- Variable naming schemes (e.g., “_calcSHA_FG7B”)
- Comment embedding using zero-width Unicode characters.
- Token-distribution patterns recognizable via statistical steganography.
2.2 Marker Watermarking System
- Each honeypot embeds cryptographically unique watermark tokens (WM_ID), generated using a seed based on repo name, time, and deployment region.
- Example:
WM_ID =SHA256(repo_name + epoch_time + secret_salt)
- These markers are placed in syntactic but non-functional regions of the code, such as docstrings or variable prefixes.
- If an AI model (during pretraining or fine-tuning) ingests these repositories, the watermark is statistically embedded in the model’s latent space and detectable during inference.
2.3 Model Telemetry & Echo Detection
- Using prompt probes, defenders can query models with tailored inputs that would elicit these embedded markers.
- Example: Asking a model to “write a SHA calculation function in Python using calcSHA_F…” if the model reproduces the exact or similar watermark sequence, it confirms ingestion.
- Deploy distributed scanning pipelines (across API-accessible models) that:
- Send fingerprinting prompts.
- Compare generated outputs with known watermark lexicons.
- Log ingestion likelihood and risk score.
Mathematical Model for Detection:
Echo Probability (Ep) = CosineSimilarity(OutputEmbedding, WM_Embedding) × Ngram_Match_Ratio
A high Ep value signals likely ingestion of a poisoned repository.
2.4 LLM Ingestion Graph
- Combine detection logs into a Model Ingestion Graph (MIG):
- Nodes = LLM checkpoints or public model names.
- Edges = confirmed or probable ingestion of a honeypot repo.
- Edge weights = Echo Probability (Ep).
- This creates a map of which models (and downstream copilots, chatbots, or CI/CD assistants) have been exposed to poisoned ecosystems.
- Integrate with Code Provenance Graphs and AISBOMs to flag models with high ingestion overlap.
2.5 Integration with Threat Intel Feeds
- Honeypot repositories can be indexed in enterprise threat-intel feeds (via TAXII/STIX format).
- SOC analysts or supply-chain platforms can consume this data to flag:
- “Model ingestion risk” in supplier AI APIs.
- “Dataset contamination probability” in vendor SBOMs.
Outcome:
- LLM Supply Honeypots feed deception-layer intelligence directly into AI SBOM and Provenance Graph pipelines.
- Every time a honeypot watermark is echoed by a model, its fingerprint is appended to the enterprise’s SBOM trust index and visualized as a low-trust edge in the Provenance Graph.
- Detected honeypot correlations also recalibrate Prompt Anomaly Detection thresholds, teaching IDE agents what real poisoned patterns look like in code generation.
Upcoming:
The authors have spread their research and insights into the next two parts in the Pig Butchering series:
Part 3/4 - LLM Code Provenance Graphs
Part 4/4 - Prompt Anomaly Detection in IDEs
Detailed material for access – GitHub
Co-authored by
Venkatakrishnan Jayakumar is a seasoned cloud and DevOps leader with over two decades of experience transforming enterprise IT—from physical infrastructure deployments to cloud-native, scalable architectures. His expertise spans infrastructure migration, cloud architecture, Kubernetes, and automation, helping organizations accelerate time to market without compromising security or reliability.
Before joining Infiligence, Venkat led the DevOps and Cloud Center of Excellence at Concentrix Catalyst, delivering scalable solutions for global enterprises like Honeywell and Charter. Earlier, he drove large-scale data center migrations at Zurich and engineered modern infrastructure solutions involving blade servers and enterprise storage systems.
At his core, Venkat is passionate about building secure, resilient, and high-performing platforms that empower businesses to innovate with confidence.
Ajitha Ravichandran is an experienced QA engineer with a strong background in automation testing, CI/CD integration, and quality engineering for cloud-native applications. She brings hands-on expertise in designing and implementing robust testing frameworks that ensure secure, scalable, and high-performing enterprise solutions.
At Infiligence, Ajitha focuses on building next-generation platform engineering solutions that unify security, observability, and automation—helping clients achieve faster delivery cycles and stronger operational governance.
Her earlier experience spans cloud migration projects, Kubernetes deployments, and automation frameworks that streamline application lifecycle management across hybrid and multi-cloud ecosystems. Ajitha is passionate about driving engineering excellence and enabling teams to build with confidence in the cloud.
