AI supply chain attacks: compromised models and libraries

Supply chain attacks in AI ecosystems have gained traction in 2023 as adversaries increasingly target machine learning (ML) models and supporting libraries to introduce malicious code or data backdoors. The dependency on open repositories such as Hugging Face for pretrained models and PyPI for Python libraries exposes enterprises to risks exacerbated by limited vetting and rating standards.

Vulnerabilities in Hugging Face and pretrained models

Hugging Face hosts over 250,000 models, datasets, and tokenizer packages, with minimal centralized security review before public availability. Researchers from the University of Michigan reported in April 2023 that multiple popular models contained trojaned weights—altered model parameters that can trigger malicious outputs under specific conditions. A notable incident involved a trojan inserted into a vision transformer model that activated when classifying specific images, effectively bypassing standard detection pipelines.

These poisoned models create vectors for data exfiltration, misclassification, and privilege escalation within downstream applications. The decentralized nature of model contribution and the use of automated scripts to pull models from public hubs increase exposure to compromised artifacts. Gartner’s Hype Cycle for AI Security (2023) identifies supply chain attacks on pretrained models as a growing enterprise risk without standardized supply chain governance frameworks.

Risks from PyPI packages in AI pipelines

PyPI remains a critical source for AI development libraries including transformers, tokenizers, and data preprocessing tools. Yet its open-source model allows threat actors to publish malicious or typo-squatting packages. In 2022 and 2023, multiple incidents surfaced where attackers pushed backdoored versions of popular AI libraries under slightly modified names, leading to unauthorized cryptomining, command execution, and credential theft in enterprise environments.

A Forrester study (2023) highlights that 47% of surveyed enterprises experienced a compromised dependency in their ML workflow within the last year. Detection is complicated by downstream dependencies involved in AI pipelines and the dynamic nature of package versioning. Enterprises with extensive use of PyPI for ML components face challenges in maintaining software supply chain transparency and provenance.

Base model security challenges and mitigation strategies

Base models—large pretrained architectures used as foundations for specialized applications—are high-value targets for adversaries. Their widespread reuse multiplies the impact of a single compromised artifact. Some base models incorporate third-party datasets with unverified licenses or poisoned samples, further complicating trustworthiness. AI Security firm Conviso reports a 36% rise in detected adversarial modifications to base models between 2022 and 2023.

Mitigation approaches include supply chain risk assessments, enforcing model provenance with cryptographic signatures, and implementing robust model auditing tools that detect weight anomalies or behavior deviations. Tools like Snyk for Open Source Security and Microsoft’s security scanning integrated into Azure AI services provide partial coverage but enterprise-wide adoption remains limited.

Model risk policies require adoption beyond traditional data governance to incorporate third-party artifact verification and continuous monitoring. Enterprises should prioritize vendors committed to transparent AI supply chains and compliance with emerging standards such as the EU AI Act's requirements on risk management.

Conclusion

Supply chain attacks targeting publicly available AI models and libraries present evolving risks with potential operational and reputational impacts. The distributed and open nature of model sharing platforms like Hugging Face and dependency management systems like PyPI increases vulnerability exposure. Enterprise buyers and platform leads must integrate supply chain risk management into AI security posture, leveraging automated verification, dependency analysis, and third-party risk frameworks to mitigate compromised artifact risks.