How is an AI supply chain different from a normal software supply chain?

It has the usual code/dependency risks plus AI-specific ones: model weights are opaque binaries that can hide backdoors, training data can be poisoned to implant behaviors, and retrieval/RAG layers pull in third-party text that can carry prompt injection. The attack surface includes data and models, not just code.

Can I trust a model downloaded from a public hub?

Treat it like any untrusted artifact. Verify the publisher, check signatures/hashes where provided, prefer safetensors over pickle formats (pickle can execute code on load), scan for known-malicious files, and evaluate behavior before production use.

What is dependency confusion in AI packages?

An attacker publishes a malicious public package with the same name as your private internal package (or a typo of a popular ML library). If your installer prefers the public index, it pulls the attacker's code. Pin versions, use a private index with namespace protection, and verify hashes.

Is this guide a substitute for a security review?

No. It is an educational reference to raise awareness of AI-specific patterns. Pair it with a proper threat model, code review, and security testing of your actual pipeline.

AI Supply Chain Attack Reference Guide

AI supply chain attack reference

The AI supply chain inherits every classic software risk and adds new ones: model weights are opaque binaries that can hide backdoors, training data can be poisoned to implant hidden behaviors, and retrieval layers ingest third-party text that can carry prompt injection. This is a filterable, offline reference to the major patterns, each with its vector, impact, and mitigations.

How it works

Browse the catalog or filter by category — model, data, dependency, or retrieval-layer attacks. Each entry describes how the attack is delivered, what an attacker gains, and the specific controls that reduce the risk. The content is static and runs entirely in your browser; nothing is sent anywhere.

Notes and tips

Prefer safetensors over pickle-based weight formats: loading a malicious pickle can execute arbitrary code on your machine.
Pin and hash-verify every dependency, and use a private package index with namespace protection to defeat dependency confusion.
Treat retrieved/RAG content as untrusted input — never let retrieved text silently override system instructions, and sandbox any tools the model can call.