AI Supply Chain Compromise - AI Security Technique

Record summary

A quick snapshot of what this page covers.

Tactics1Attacker goals connected to this method.

Mitigations3Defenses that may help against this attack.

AI risks1Research-backed risks connected to this topic.

Attack context

How this AI attack works in practice.

Adversaries may gain initial access to a system by compromising the unique portions of the AI supply chain. This could include Hardware, Data and its annotations, parts of the AI AI Software stack, or the Model itself. In some instances the attacker will need secondary access to fully carry out an attack using compromised components of the supply chain.

ATLAS ID: AML.T0010
Priority score: 54

Maturity: realized

Initial Access

Mitigations

Defenses that may help against this attack.

AML.M0023 - AI Bill of Materials

Business and Data UnderstandingData Preparation+1 more

LifecycleBusiness and Data Understanding + 2 moreCategoryPolicy

An AI BOM can help users identify untrustworthy components of their AI supply chain.

AML.M0020 - Generative AI Guardrails

ML Model EngineeringML Model Evaluation+1 more

LifecycleML Model Engineering + 2 moreCategoryTechnical - ML

Guardrails can detect harmful code in model outputs.

AML.M0014 - Verify AI Artifacts

Business and Data UnderstandingData Preparation+1 more

LifecycleBusiness and Data Understanding + 2 moreCategoryTechnical - Cyber

Introduce proper checking of signatures to ensure that unsafe AI artifacts will not be introduced to the system.

Case studies

Examples from public reports and exercises.

Malicious Models on Hugging Face

incident

Date2025-02-25

Researchers at ReversingLabs have identified malicious models containing embedded malware hosted on the Hugging Face model repository. The models were found to execute reverse shells when loaded, which grants the threat actor command and control capabilities on the victim's system. Hugging Face uses Picklescan to scan models for malicious code, however these models were not flagged as malicious. The researchers discovered that the model files were seemingly purposefully corrupted in a way that the malicious payload is executed before the model ultimately fails to de-serialize fully. Picklescan relied on being able to fully de-serialize the model.

Since becoming aware of this issue, Hugging Face has removed the models and has made changes to Picklescan to catch this particular attack. However, pickle files are fundamentally unsafe as they allow for arbitrary code execution, and there may be other types of malicious pickles that Picklescan cannot detect.

Related risks

Research-backed risks connected to this topic.

Software Supply Chains

Confidence: 0.68

Domain2. Privacy & SecuritySubdomain2.2 > AI system security vulnerabilities and attacks

"The software development toolchain of LLMs is complex and could bring threats to the developed LLM."

Related CVEs

Known software flaws linked to this context.

No related CVEs. No software flaw is connected to this attack in the current data.

Source

Where this page information comes from.

Original source

Original source links

Open the public records and source datasets used for this page.

Repositoryhttps://github.com/mitre-atlas/atlas-data ATLAS.yamlhttps://github.com/mitre-atlas/atlas-data/blob/main/dist/ATLAS.yaml Schemahttps://github.com/mitre-atlas/atlas-data/blob/main/dist/schemas/atlas_output_schema.json