π° Originally published on Securityelites β AI Red Team Education β the canonical, fully-updated version of this article.
π€ AI/LLM HACKING COURSE
FREE
Part of the AI/LLM Hacking Course β 90 Days
Day 7 of 90 Β· 7.7% complete
β οΈ Authorised Research Only: Supply chain security research β including pickle file analysis and model provenance auditing β should only be conducted against models and repositories you have authorisation to assess. Never execute suspicious model files in production environments. All pickle scanning in Day 7 uses static analysis only β the files are never loaded or executed. SecurityElites.com accepts no liability for misuse.
In 2023, a researcher from Protect AI published a finding that sent a quiet shock through the ML security community: they had found 23 publicly available models on Hugging Face with malicious code embedded in pickle files. The models had legitimate-looking names, real download counts, and model cards describing genuine architectures. When anyone downloaded and loaded those models β a completely routine operation for any ML practitioner β the pickle payload executed. One model contained code that exfiltrated environment variables from the loading machine, including any API keys, database credentials, or cloud provider tokens stored there.
LLM03 Supply Chain Vulnerabilities is the attack that happens before your application launches. Every other vulnerability class in this course assumes the model is deployed and running. LLM03 targets the pipeline that produces that deployment: the model repository you pulled from, the datasets used in training, the Python packages in your ML environment, the plugins you connected at deployment time. Compromising any one of these components compromises every application built on them β which is what makes supply chain attacks the most scalable vector in AI security. Day 7 gives you the auditing methodology, the scanning tools, and the provenance verification process for every component in the AI supply chain.
π― What Youβll Master in Day 7
Map the complete AI supply chain and identify every component as a potential attack surface
Understand how pickle-based model files enable arbitrary code execution on load
Run picklescan against model files to detect malicious code without executing it
Verify model provenance on Hugging Face using security-focused assessment criteria
Assess training dataset security and identify dataset poisoning indicators
Audit third-party AI plugins for supply chain risk and excessive permissions
β±οΈ Day 7 Β· 3 exercises Β· Think Like Hacker + Kali Terminal + Browser ### β Prerequisites - Day 3 β OWASP LLM Top 10 β LLM03 in context with the other 9 categories; supply chain attacks are the upstream source of model-level vulnerabilities - Python 3 with pip β Exercise 2 installs picklescan and runs static analysis - Basic familiarity with Python serialisation β understanding what βloading a modelβ means technically helps the pickle attack make intuitive sense ### π LLM03 Supply Chain Vulnerabilities β Day 7 Contents 1. Mapping the AI Supply Chain Attack Surface 2. The Pickle Attack β Code Execution via Model Loading 3. Hugging Face Security β Repository Auditing Methodology 4. Dataset Poisoning β Contamination Before Training 5. Third-Party Plugin and Dependency Security 6. Supply Chain Defences β What a Secure AI Pipeline Looks Like Days 4 through 6 covered the attack surface of deployed applications β injecting into running systems, extracting credentials, exploiting RAG pipelines. Day 7 moves upstream. LLM03 attacks the pipeline that produces those deployments β before any user ever interacts with the application. The findings from Day 7 are often the most impactful in an AI security assessment because they affect every application built on a compromised component, not just the one being tested. Day 8 extends this into LLM04, which covers poisoning at the training data level.
Mapping the AI Supply Chain Attack Surface
The AI supply chain is deeper than most developers realise β much deeper. Building an LLM application pulls in components from multiple external sources, each a potential attack surface. Some developers Iβve worked with were surprised to find out their stack had five distinct supply chain layers. You canβt audit what you havenβt mapped, so that mapping step comes first.
AI SUPPLY CHAIN β COMPLETE COMPONENT MAPCopy
LAYER 1: Base model
Source: Hugging Face, OpenAI API, Anthropic API, local download
Attack: malicious model weights, pickle exploit, altered architecture
Risk: highest β every application using the model inherits the compromise
LAYER 2: Training and fine-tuning datasets
Source: Common Crawl, HuggingFace datasets, custom scraped data
Attack: dataset poisoning, backdoor insertion via training examples
Risk: high β altered model behaviour across all deployments
LAYER 3: ML framework and Python packages
Source: PyPI, Conda, GitHub requirements.txt
Attack: typosquatting (transformres vs transformers), dependency confusion
Risk: medium-high β executes in the training/inference environment
LAYER 4: Pre-built model components
Source: tokenisers, embedding models, LoRA adapters, merge components
Attack: malicious tokeniser, backdoored embedding layer
Risk: medium β specific pipeline stages affected
LAYER 5: Plugins, tools, and integrations
Source: LangChain community hub, OpenAI plugin store, custom connectors
Attack: data exfiltration via plugin, permission escalation
Risk: varies β depends on plugin permissions (LLM06 combination risk)
π§ EXERCISE 1 β THINK LIKE A HACKER (20 MIN Β· NO TOOLS)
Design a Supply Chain Attack Against a Real AI Deployment
β±οΈ 20 minutes Β· No tools needed
Understanding supply chain attacks requires thinking like an attacker who has no access to the target application. The attacker targets the upstream components β the model repository, the training data source, the Python package β rather than the deployed application itself.
π Read the complete guide on Securityelites β AI Red Team Education
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on Securityelites β AI Red Team Education β
This article was originally written and published by the Securityelites β AI Red Team Education team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit Securityelites β AI Red Team Education.
Top comments (0)