Supply Chain Attack Vectors

In the Understanding AI Supply Chains room, you learned about the JFrog researchers who discovered approximately 100 malicious models on Hugging Face. Now you are about to investigate one yourself.

Yesterday, the CEO at TryTrainMe received an alarming email:

Subject: Your systems have been compromised! We've had access to your servers for 3 weeks through your "AI-powered" code reviewer. Check your model loading code. You might want to scan those "harmless" .pkl files you downloaded. – A concerned security researcher

Your security team has been called in. You will investigate four major attack vectors: malicious model serialisation (pickle), dependency confusion, model repository manipulation, and API provider compromise. Starting with a suspicious model file on the lab VM, you will trace how attackers exploit every layer of the AI supply chain.

Learning Objectives

• Explain how Python's pickle serialisation enables arbitrary code execution through the __reduce__ method
• Investigate a malicious model file using safe analysis techniques (pickletools)
• Describe how dependency confusion and typosquatting attacks compromise package installations
• Identify the warning signs of a compromised model repository
• Recognise the attack vectors specific to API-consumed models: silent updates, key compromise, and prompt template injection.

Prerequisites

• Completed Understanding AI Supply Chains
• Basic Python knowledge (variables, functions, classes)
• Comfortable using the Linux terminal