This work reveals a critical security blind spot in the modular large language model (LLM) supply chain: existing safety alignment mechanisms fail to defend against synergistic attacks launched by combining multiple seemingly benign LoRA adapters. The study introduces a novel attack paradigm that systematically bypasses alignment safeguards without relying on adversarial prompts—instead, it exploits the combinatorial explosion inherent in adapter composition, which current defenses cannot exhaustively enumerate. Experiments across multiple open-source LLMs demonstrate that while individual LoRA adapters exhibit harmless behavior, their linear combination significantly increases the success rate of generating harmful outputs. This exposes a fundamental limitation in prevailing single-module verification approaches, which are ill-equipped to anticipate emergent risks arising from modular composition.

We introduce Colluding LoRA (CoLoRA), an attack in which each adapter appears benign and plausibly functional in isolation, yet their linear composition consistently compromises safety. Unlike attacks that depend on specific input triggers or prompt patterns, CoLoRA is a composition-triggered broad refusal suppression: once a particular set of adapters is loaded, the model undergoes effective alignment degradation, complying with harmful requests without requiring adversarial prompts or suffixes. This attack exploits the combinatorial blindness of current defense systems, where exhaustively scanning all compositions is computationally intractable. Across several open-weight LLMs, CoLoRA achieves benign behavior individually yet high attack success rate after composition, indicating that securing modular LLM supply-chains requires moving beyond single-module verification toward composition-aware defenses.