Menu
$
Attacks Wiki Entry

Supply Chain Attacks

Attacks that compromise AI systems through their dependencies, including third-party models, training datasets, libraries, and fine-tuning services.

Last updated: January 24, 2025

Definition

AI supply chain attacks compromise machine learning systems through their dependencies—third-party models, training datasets, ML libraries, fine-tuning services, and deployment infrastructure. A single compromised component can affect thousands of downstream applications.

Attack Surface

Pre-trained Models

  • Backdoored models distributed through hubs (Hugging Face, etc.)
  • Compromised model weights in popular repositories
  • Typosquatting on model names

Training Datasets

  • Poisoned public datasets (Common Crawl, Wikipedia dumps)
  • Compromised crowdsourced labeling
  • Malicious contributions to open datasets

ML Libraries and Frameworks

  • Malicious packages in PyPI, npm (ML dependencies)
  • Compromised model serialization (pickle vulnerabilities)
  • Backdoored training frameworks

Fine-tuning and MLOps Services

  • Compromised fine-tuning platforms
  • Malicious adapters and LoRA weights
  • Attacked model registries

Why It's Critical

  • Wide impact — Popular models/datasets affect many applications
  • Trust exploitation — Users trust established sources
  • Persistence — Backdoors survive through model updates
  • Detection difficulty — Compromised components may pass testing

Real-World Examples

Model Serialization Attacks — Malicious pickle files executing code on model load.

Hugging Face Compromise — Researchers demonstrating backdoored model uploads.

Dataset Poisoning — Documented poisoning of web-scraped training corpora.

Detection

  • Verify model/data provenance and signatures
  • Scan for known malicious patterns in dependencies
  • Test models for backdoor behaviors
  • Monitor for unexpected model behaviors in production

Defenses

  • Provenance verification — Verify sources and signatures
  • Sandboxed loading — Isolate model deserialization
  • Dependency scanning — Audit ML supply chain
  • Model testing — Backdoor detection before deployment
  • Internal model registry — Control approved artifacts
  • Use safe serialization — Avoid pickle, use safetensors

References

  • Gu, T. et al. (2017). "BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain."
  • MITRE. (2023). "ATLAS: ML Supply Chain Compromise."
  • OWASP. (2023). "LLM05: Supply Chain Vulnerabilities."

Framework Mappings

Framework Reference
MITRE ATLAS AML.T0010: ML Supply Chain Compromise
OWASP LLM Top 10 LLM05: Supply Chain Vulnerabilities
AATMF SC-* (Supply Chain category)

Related Entries

Data Poisoning Model Extraction Adversarial AI

Citation

Aizen, K. (2025). "Supply Chain Attacks." AI Security Wiki, snailsploit.com. Retrieved from https://snailsploit.com/ai-security/wiki/attacks/supply-chain-attacks/
← Back to Attacks Wiki Index