AI Supply Chain Attack Reference Guide

Reference guide to AI-specific supply chain attack patterns

Offline, filterable reference to AI-specific supply chain attacks — model weight poisoning, dataset manipulation, dependency confusion in AI packages, malicious fine-tuning, and prompt injection via third-party retrievals — each with vector, impact, and mitigations. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

How is an AI supply chain different from a normal software supply chain?

It has the usual code/dependency risks plus AI-specific ones: model weights are opaque binaries that can hide backdoors, training data can be poisoned to implant behaviors, and retrieval/RAG layers pull in third-party text that can carry prompt injection. The attack surface includes data and models, not just code.

AI supply chain attack reference

The AI supply chain inherits every classic software risk and adds new ones: model weights are opaque binaries that can hide backdoors, training data can be poisoned to implant hidden behaviors, and retrieval layers ingest third-party text that can carry prompt injection. This is a filterable, offline reference to the major patterns, each with its vector, impact, and mitigations.

How it works

Browse the catalog or filter by category — model, data, dependency, or retrieval-layer attacks. Each entry describes how the attack is delivered, what an attacker gains, and the specific controls that reduce the risk. The content is static and runs entirely in your browser; nothing is sent anywhere.

Why AI supply chains are a distinct problem

Traditional software supply chain attacks target code and packages. AI systems have all of those same risks, plus two entirely new attack surfaces that do not exist in ordinary software:

Model weights and training artifacts. A trained model is not source code — it is a dense binary tensor file that no human can read or audit line by line. Backdoors can be embedded in weights during training so that the model behaves normally on almost all inputs but produces attacker-chosen outputs when a specific trigger phrase or image patch appears. This is sometimes called a Trojan or backdoor attack. Because the vulnerability lives in a binary artifact rather than source code, static analysis cannot detect it the way a code review can.

Training data and fine-tuning inputs. If an attacker can influence what goes into a training or fine-tuning dataset — through data poisoning, by contributing to a public dataset, or by injecting content that a scraper will collect — they can shift model behavior at scale. Fine-tuning in particular is a high-risk moment: a small, targeted poisoned fine-tuning set can override alignment achieved during a much larger base training run.

The four attack layers at a glance

LayerExample attackWhat the attacker gains
ModelPoisoned weights on a public hubBackdoored model deployed by downstream users
DataPoisoned training set contributionsBiased or maliciously triggered model behavior
DependencyDependency confusion or typosquatting in ML packagesArbitrary code execution during pip install
RetrievalPrompt injection in RAG source documentsManipulation of model outputs at inference time

Mitigation priorities

Not all risks are equal. Dependency confusion and typosquatting attacks against ML packages have the most direct path to code execution and are the most immediately dangerous in a production pipeline — treat them like any other software supply chain risk: pin versions, verify hashes, and use a private index with namespace protection.

Weight-level backdoors are harder to detect but often have a narrower blast radius (they require the attacker to know the trigger). The best mitigations are sourcing models from known publishers, preferring safetensors over pickle formats (loading pickle can execute arbitrary Python), and evaluating model behavior on adversarial probes before production use.

RAG and retrieval-layer attacks are increasingly relevant as more systems pull in third-party content at inference time. Treat retrieved text as untrusted user input: never allow it to override system-level instructions, and run sandboxed tool calls rather than direct execution of anything the model suggests based on retrieved content.

Notes and tips

  • Prefer safetensors over pickle-based weight formats: loading a malicious pickle can execute arbitrary code on your machine.
  • Pin and hash-verify every dependency, and use a private package index with namespace protection to defeat dependency confusion.
  • Treat retrieved/RAG content as untrusted input — never let retrieved text silently override system instructions, and sandbox any tools the model can call.
  • This guide is an educational reference. Pair it with a threat model specific to your pipeline and professional security review.