Volume IV: Infrastructure & Human Factors
Three tactics that target the systems around the model — supply chains, inference infrastructure, and the humans who build, deploy, and interact with AI.
T13
AI Supply Chain & Artifact Trust
15 techniques · 150 procedures · Risk 205–260
Compromise model supply chain
2025–2026 Threat Update
- • 44.9% of popular HuggingFace models still use unsafe serialization formats. NullifAI malicious models evaded scanning for 8+ months using 7z compression.
- • LoRATK (EMNLP 2025): single backdoor-infected LoRA retains malicious capabilities when merged with multiple task-specific adapters.
- • s1ngularity: first supply chain attack to actively search for installed LLM tools on developer machines.
T13 AI Supply Chain & Artifact Trust 15 techniques
| ID | Technique | Risk | Rating | Procs |
|---|---|---|---|---|
T13-AT-001 | Model Repository Poisoning | 255 | 🔴 CRITICAL | 10 |
T13-AT-002 | Dataset Contamination | 245 | 🟠 HIGH | 10 |
T13-AT-003 | Pipeline Injection Attacks | 240 | 🟠 HIGH | 10 |
T13-AT-004 | Dependency Confusion | 235 | 🟠 HIGH | 10 |
T13-AT-005 | Model Card Manipulation | 210 | 🟠 HIGH | 10 |
T13-AT-006 | Checkpoint Poisoning | 250 | 🔴 CRITICAL | 10 |
T13-AT-007 | Transfer Learning Attacks | 225 | 🟠 HIGH | 10 |
T13-AT-008 | Model Conversion Exploits | 220 | 🟠 HIGH | 10 |
T13-AT-009 | Cloud Training Attacks | 230 | 🟠 HIGH | 10 |
T13-AT-010 | Hardware Supply Chain | 260 | 🔴 CRITICAL | 10 |
T13-AT-011 | Model Marketplace Attacks | 215 | 🟠 HIGH | 10 |
T13-AT-012 | Artifact Signature Attacks | 225 | 🟠 HIGH | 10 |
T13-AT-013 | Container Registry Poisoning | 235 | 🟠 HIGH | 10 |
T13-AT-014 | Development Tool Compromise | 240 | 🟠 HIGH | 10 |
T13-AT-015 | Model Obfuscation Attacks | 205 | 🟠 HIGH | 10 |
T14
Infrastructure & Economic Warfare
15 techniques · 150 procedures · Risk 210–280
Attack AI infrastructure
2025–2026 Threat Update
- • ShadowMQ (Oligo Security): unsafe ZeroMQ patterns copy-pasted across frameworks — CVE-2025-30165 (vLLM, CVSS 8.0), CVE-2025-23254 (TensorRT-LLM, CVSS 8.8).
- • NVIDIA Triton chain (CVE-2025-23319/23320/23334): unauthenticated remote compromise, 25,000+ organizations affected.
- • Langflow CVE-2025-3248 (CVSS 9.8): added to CISA KEV catalog with confirmed active exploitation.
T14 Infrastructure & Economic Warfare 15 techniques
| ID | Technique | Risk | Rating | Procs |
|---|---|---|---|---|
T14-AT-001 | GPU Farm Hijacking | 265 | 🔴 CRITICAL | 10 |
T14-AT-002 | Denial of Service Attacks | 240 | 🟠 HIGH | 10 |
T14-AT-003 | Cost Inflation Attacks | 235 | 🟠 HIGH | 10 |
T14-AT-004 | Market Manipulation via AI | 255 | 🔴 CRITICAL | 10 |
T14-AT-005 | Critical Infrastructure Attacks | 270 | 🔴 CRITICAL | 10 |
T14-AT-006 | Competitive Sabotage | 245 | 🟠 HIGH | 10 |
T14-AT-007 | Nation-State AI Warfare | 280 | 🔴 CRITICAL | 10 |
T14-AT-008 | Ransomware via AI Systems | 260 | 🔴 CRITICAL | 10 |
T14-AT-009 | Resource Starvation | 230 | 🟠 HIGH | 10 |
T14-AT-010 | Data Center Attacks | 250 | 🔴 CRITICAL | 10 |
T14-AT-011 | API Economy Attacks | 225 | 🟠 HIGH | 10 |
T14-AT-012 | Cloud Provider Exploitation | 265 | 🔴 CRITICAL | 10 |
T14-AT-013 | Economic Espionage | 255 | 🔴 CRITICAL | 10 |
T14-AT-014 | Systemic Risk Creation | 270 | 🔴 CRITICAL | 10 |
T14-AT-015 | Regulatory Exploitation | 210 | 🟠 HIGH | 10 |
T15
Human Workflow Exploitation
15 techniques · 108 procedures · Risk 195–260
Manipulate human reviewers and workflows
2025–2026 Threat Update
- • Multiple teen suicides linked to Character.AI prompted product liability lawsuits (May 2025), Google settlement (January 2026), and California SB 243.
- • Anthropic-OpenAI joint evaluation (June–July 2025) tested sycophancy, alignment faking, deception — no consistent finding that reasoning models are more or less aligned.
- • Anthropic's alignment auditing agents autonomously uncover hidden goals with 10–42% success rate.
T15 Human Workflow Exploitation 15 techniques
| ID | Technique | Risk | Rating | Procs |
|---|---|---|---|---|
T15-AT-001 | Reviewer Fatigue Exploitation | 215 | 🟠 HIGH | 10 |
T15-AT-002 | Social Engineering of Moderators | 230 | 🟠 HIGH | 10 |
T15-AT-003 | Feedback Loop Manipulation | 240 | 🟠 HIGH | 10 |
T15-AT-004 | Reviewer Bribery & Coercion | 250 | 🔴 CRITICAL | 4 |
T15-AT-005 | Playbook & Runbook Injection | 235 | 🟠 HIGH | 4 |
T15-AT-006 | Queue Manipulation | 220 | 🟠 HIGH | 9 |
T15-AT-007 | Escalation Chain Exploitation | 225 | 🟠 HIGH | 3 |
T15-AT-008 | Cultural & Language Arbitrage | 210 | 🟠 HIGH | 10 |
T15-AT-009 | Synthetic Empathy Exploitation | 195 | 🟡 MEDIUM | 5 |
T15-AT-010 | Annotation Quality Attacks | 230 | 🟠 HIGH | 10 |
T15-AT-011 | Reviewer Impersonation | 245 | 🟠 HIGH | 5 |
T15-AT-012 | Timing Attack Exploitation | 205 | 🟠 HIGH | 7 |
T15-AT-013 | Cognitive Overload Attacks | 220 | 🟠 HIGH | 10 |
T15-AT-014 | Review Gaming Through A/B Testing | 215 | 🟠 HIGH | 9 |
T15-AT-015 | Insider Threat Recruitment | 260 | 🔴 CRITICAL | 2 |