In plain English
This page covers the high-risk pattern where small adapters, routes, memory, evaluators, and descendants can reinforce each other across time. It is a risk model, not a build guide.
- Why this matters: AI risk can come from the whole arrangement, not one obvious model.
- What to look for: data, memory, routes, adapters, tools, evaluators, updates, and rollback paths.
- Technical version below: the expert terminology remains available and is linked through the glossary.
Apex Threat Source Map
This page maps the external sources used by the Apex Threat section. It separates standards, documented incidents or demonstrations, academic research, and defensive implementation references.
The source map is not a bibliography claiming that “CognivirusA behavior pattern that can survive, move, or reappear across a changing AI system. Open glossary definition malware” exists. It shows which documented component risks support each part of the Apex Threat synthesis.
Grouped source map
Standards and frameworks
Artificial Intelligence Risk Management Framework (AI RMF 1.0)
Frames AI risk management as an ongoing govern, map, measure, and manage lifecycle practice across design, development, deployment, operation, and retirement.
- Why it is credible
- NIST is a U.S. standards body and the AI RMF is a public risk-management framework used by organizations for governance planning.
- Apex Threat behavior supported
- Lifecycle governance, residual-risk review, rollback discipline, and release control.
- Limit: what this source does not prove
- Framework guidance. It does not prove that the full Apex Threat has occurred as one incident.
NIST AI 600-1: Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile
Applies the AI RMF to generative AI and identifies generative-AI-specific risks and risk-management actions.
- Why it is credible
- It is an official NIST publication with a DOI and public risk-management scope for generative AI.
- Apex Threat behavior supported
- Specialized governance for generative-AI provenance, testing, monitoring, disclosure, and lifecycle controls.
- Limit: what this source does not prove
- A risk profile, not a complete technical defense against every compound transition-graph pathway.
OWASP Top 10 for LLM Applications 2025
Catalogs common LLM application risks including prompt injection, supply-chain risk, data/model poisoning, excessive agency, vector weaknesses, and unbounded consumption.
- Why it is credible
- OWASP is a widely used application-security community and the Gen AI project maintains an LLM-focused risk taxonomy.
- Apex Threat behavior supported
- A structured vocabulary for the component risks that Cognivirus composes into the Apex Threat model.
- Limit: what this source does not prove
- Risk taxonomy. It does not claim the combined Cognivirus Apex Threat has appeared as a named incident.
LLM03:2025 Supply Chain
Describes supply-chain risks for LLM applications, including third-party models, datasets, weak provenance, LoRA, PEFT, vulnerable adapters, model repositories, signing, and SBOM controls.
- Why it is credible
- OWASP LLM03 is a framework-level source specifically naming AI supply-chain components beyond ordinary software dependencies.
- Apex Threat behavior supported
- Adapters, model assets, datasets, repositories, provenance, and supplier controls as risk surfaces.
- Limit: what this source does not prove
- Framework guidance, not proof that the full Apex Threat has occurred as a single incident.
LLM04:2025 Data and Model Poisoning
Describes risks from poisoned training, fine-tuning, embedding, and model data sources that can alter behavior.
- Why it is credible
- OWASP LLM04 provides a public security taxonomy for data and model poisoning risks in LLM applications.
- Apex Threat behavior supported
- Training and fine-tuning pipelines as carriers for persistent behavior.
- Limit: what this source does not prove
- Framework guidance. It does not establish a single self-replicating multi-LoRA incident.
LLM06:2025 Excessive Agency
Describes the risk created when LLM-based systems have too much functionality, permission, or autonomy relative to their reviewed purpose.
- Why it is credible
- OWASP LLM06 is a framework-level source focused on action authority and permission design in LLM applications.
- Apex Threat behavior supported
- The transition from strange outputs to material effects through tools, credentials, and external actions.
- Limit: what this source does not prove
- It shows why action authority matters; it does not prove that a model is malicious.
LLM08:2025 Vector and Embedding Weaknesses
Describes risks in systems using embeddings, vector stores, and retrieval-augmented generation.
- Why it is credible
- OWASP LLM08 focuses specifically on vector and embedding systems that are common in RAG and AI memory designs.
- Apex Threat behavior supported
- Memory and retrieval stores as active inputs that can influence future behavior.
- Limit: what this source does not prove
- It does not imply vector databases are inherently unsafe.
CycloneDX ML-BOM
Provides a way to document models, datasets, dependencies, training methods, provenance, and AI component inventory.
- Why it is credible
- CycloneDX is an established software bill-of-materials ecosystem extended here to machine-learning artifacts.
- Apex Threat behavior supported
- Machine-readable inventories for models, datasets, adapters, dependencies, and provenance.
- Limit: what this source does not prove
- Inventory improves traceability but does not guarantee safety by itself.
Real Incidents / Demonstrations
PoisonGPT: How We Hid a Lobotomized LLM on Hugging Face to Spread Fake News
Demonstrates a modified open-source model that behaves normally in general use while carrying targeted false behavior on a narrow topic.
- Why it is credible
- A named security-research demonstration with public writeup and defensive supply-chain framing.
- Apex Threat behavior supported
- Narrow hidden behavior can survive broad checks if artifact provenance and targeted tests are weak.
- Limit: what this source does not prove
- It does not prove the full self-replicating Apex Threat ecology exists in the wild.
Silent Sabotage: Hijacking Safetensors Conversion on Hugging Face
Shows how a model-conversion workflow can become a compromise path around otherwise trusted-looking model repository behavior.
- Why it is credible
- HiddenLayer publishes AI security research focused on model artifacts, repositories, and ML workflow abuse.
- Apex Threat behavior supported
- The carrier can be the workflow that moves, converts, approves, or signs an artifact, not only the artifact itself.
- Limit: what this source does not prove
- It does not prove that every model conversion service is compromised.
EchoLeak / CVE-2025-32711: Indirect Prompt Injection in Microsoft 365 Copilot
Reports EchoLeak / CVE-2025-32711 as a zero-click indirect prompt-injection case study involving Microsoft 365 Copilot and cross-boundary data exposure risk.
- Why it is credible
- A public research paper tied to a named production AI prompt-injection case study.
- Apex Threat behavior supported
- Retrieved content can behave as an instruction carrier when an AI bridges external content, private context, and actions.
- Limit: what this source does not prove
- Prompt injection alone is not equivalent to the full Apex Threat.
ShadowRay / exposed Ray deployments
Reports compromise of exposed Ray AI framework deployments caused by insecure deployment exposure.
- Why it is credible
- Mainstream security-industry reporting on AI infrastructure exposure and operational compromise.
- Apex Threat behavior supported
- Fast, distributed AI infrastructure can enlarge the blast radius when deployment boundaries are weak.
- Limit: what this source does not prove
- Infrastructure exposure is not the same as a self-replicating adapter ecology.
LeftoverLocals: Listening to LLM Responses Through Leaked GPU Local Memory
Shows GPU local-memory leakage affecting ML workloads and LLM response confidentiality on shared hardware paths.
- Why it is credible
- Trail of Bits is a recognized security research firm publishing technical vulnerability analyses.
- Apex Threat behavior supported
- Runtime residue and shared compute can become a system boundary, not merely an implementation detail.
- Limit: what this source does not prove
- It does not show Apex Threat replication; it shows a residue and isolation failure at the hardware/runtime layer.
Academic Research
EchoLeak / CVE-2025-32711: Indirect Prompt Injection in Microsoft 365 Copilot
Reports EchoLeak / CVE-2025-32711 as a zero-click indirect prompt-injection case study involving Microsoft 365 Copilot and cross-boundary data exposure risk.
- Why it is credible
- A public research paper tied to a named production AI prompt-injection case study.
- Apex Threat behavior supported
- Retrieved content can behave as an instruction carrier when an AI bridges external content, private context, and actions.
- Limit: what this source does not prove
- Prompt injection alone is not equivalent to the full Apex Threat.
AI models collapse when trained on recursively generated data
Studies degradation that can occur when models are trained on recursively generated data from earlier models.
- Why it is credible
- Nature is a peer-reviewed scientific journal and this paper directly studies recursive synthetic training risk.
- Apex Threat behavior supported
- Synthetic data feedback loops can preserve distortions and erase variance without source controls.
- Limit: what this source does not prove
- It does not prove that all synthetic data causes collapse.
How Bad is Training on Synthetic Data? A Statistical Analysis of Language Model Collapse
Analyzes conditions under which training on synthetic data can degrade language model distributions.
- Why it is credible
- Academic preprint focused directly on the statistical behavior of recursive synthetic-data training.
- Apex Threat behavior supported
- Source labels and fresh data matter when synthetic feedback can recursively alter distributions.
- Limit: what this source does not prove
- Preprint evidence; not a claim that every synthetic data pipeline is unsafe.
LLM Supply Chain Study
Treats LLM systems as nested supply chains involving models, datasets, tooling, deployment, and downstream integrations.
- Why it is credible
- Academic preprint addressing the LLM supply-chain structure that underlies compound AI-system risk.
- Apex Threat behavior supported
- The system of dependencies can be the risk surface, not only a single model file.
- Limit: what this source does not prove
- A supply-chain study does not establish the full Cognivirus ecology as a confirmed incident.
Defensive Implementation
Artificial Intelligence Risk Management Framework (AI RMF 1.0)
Frames AI risk management as an ongoing govern, map, measure, and manage lifecycle practice across design, development, deployment, operation, and retirement.
- Why it is credible
- NIST is a U.S. standards body and the AI RMF is a public risk-management framework used by organizations for governance planning.
- Apex Threat behavior supported
- Lifecycle governance, residual-risk review, rollback discipline, and release control.
- Limit: what this source does not prove
- Framework guidance. It does not prove that the full Apex Threat has occurred as one incident.
NIST AI 600-1: Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile
Applies the AI RMF to generative AI and identifies generative-AI-specific risks and risk-management actions.
- Why it is credible
- It is an official NIST publication with a DOI and public risk-management scope for generative AI.
- Apex Threat behavior supported
- Specialized governance for generative-AI provenance, testing, monitoring, disclosure, and lifecycle controls.
- Limit: what this source does not prove
- A risk profile, not a complete technical defense against every compound transition-graph pathway.
LLM03:2025 Supply Chain
Describes supply-chain risks for LLM applications, including third-party models, datasets, weak provenance, LoRA, PEFT, vulnerable adapters, model repositories, signing, and SBOM controls.
- Why it is credible
- OWASP LLM03 is a framework-level source specifically naming AI supply-chain components beyond ordinary software dependencies.
- Apex Threat behavior supported
- Adapters, model assets, datasets, repositories, provenance, and supplier controls as risk surfaces.
- Limit: what this source does not prove
- Framework guidance, not proof that the full Apex Threat has occurred as a single incident.
LLM04:2025 Data and Model Poisoning
Describes risks from poisoned training, fine-tuning, embedding, and model data sources that can alter behavior.
- Why it is credible
- OWASP LLM04 provides a public security taxonomy for data and model poisoning risks in LLM applications.
- Apex Threat behavior supported
- Training and fine-tuning pipelines as carriers for persistent behavior.
- Limit: what this source does not prove
- Framework guidance. It does not establish a single self-replicating multi-LoRA incident.
LLM06:2025 Excessive Agency
Describes the risk created when LLM-based systems have too much functionality, permission, or autonomy relative to their reviewed purpose.
- Why it is credible
- OWASP LLM06 is a framework-level source focused on action authority and permission design in LLM applications.
- Apex Threat behavior supported
- The transition from strange outputs to material effects through tools, credentials, and external actions.
- Limit: what this source does not prove
- It shows why action authority matters; it does not prove that a model is malicious.
LLM08:2025 Vector and Embedding Weaknesses
Describes risks in systems using embeddings, vector stores, and retrieval-augmented generation.
- Why it is credible
- OWASP LLM08 focuses specifically on vector and embedding systems that are common in RAG and AI memory designs.
- Apex Threat behavior supported
- Memory and retrieval stores as active inputs that can influence future behavior.
- Limit: what this source does not prove
- It does not imply vector databases are inherently unsafe.
CycloneDX ML-BOM
Provides a way to document models, datasets, dependencies, training methods, provenance, and AI component inventory.
- Why it is credible
- CycloneDX is an established software bill-of-materials ecosystem extended here to machine-learning artifacts.
- Apex Threat behavior supported
- Machine-readable inventories for models, datasets, adapters, dependencies, and provenance.
- Limit: what this source does not prove
- Inventory improves traceability but does not guarantee safety by itself.