Supply Chain Attacks
What It Is
AI supply chain attacks target the components AI systems depend on — pre-trained models, datasets, frameworks, plugins, and tools.
Attack Vectors
Malicious Model Upload
Upload a trojaned model to a public hub (Hugging Face, TensorFlow Hub):
- Model passes benchmarks (appears legitimate)
- Contains a hidden backdoor activated by specific triggers
- Pickle deserialization — model files can contain arbitrary code that executes on load
Poisoned Datasets
Compromise public datasets used for training or fine-tuning by contributing malicious samples to community datasets.
Compromised Plugins/Tools
LLM applications use plugins, MCP servers, and API integrations:
- Malicious plugin that exfiltrates conversation data
- Compromised tool that returns injection payloads in its output
- Dependency confusion attacks on ML Python packages
The Pickle Problem
Python's pickle format can execute arbitrary code during deserialization. Most ML model formats use pickle internally.
# DANGEROUS — arbitrary code execution risk
model = torch.load('untrusted_model.pt')
# SAFER — safetensors format, no code execution
from safetensors.torch import load_file
model = load_file('model.safetensors')
Mitigation
| Control | What It Does |
|---|---|
| Hash verification | Verify integrity of downloaded models |
| Safetensors format | Safe serialization without code execution |
| Dependency scanning | Audit ML package dependencies |
| Model sandboxing | Run untrusted models in isolated environments |
| Provenance tracking | Track origin and modification of all ML artifacts |