Model Repository Poisoning
T13 · AI Supply Chain & Artifact Trust →Model repositories are the npm/PyPI of the AI ecosystem — the primary distribution channel for pre-trained models. The fundamental vulnerability is that model files are opaque binary artifacts that can contain executable code, and the deserialization process (loading a model) can trigger that code. The Pickle serialization format, used by 44.9% of HuggingFace models (PickleBall Aug 2025), executes Python code during deserialization via `__reduce__` methods.
- SafeTensors enforcement: mandate SafeTensors-only loading in production; reject all Pickle-based models
- Multi-scanner pipeline: run Picklescan + ModelScan + fickling in series; accept only models passing all three
- Runtime AI-BOM verification: verify what actually loaded into memory against expected model hash
- Namespace monitoring: alert on re-registration of previously popular usernames
Model repository poisoning is the primary entry point for the entire AI supply chain. Malicious models chain to T6-AT-003 (Backdoor Insertion) through behavioral trojans, T6-AT-004 (Fine-Tuning Attacks) when the poisoned model is used as a base for fine-tuning, T6-AT-010 (Knowledge Distillation Attacks) when used as a teacher, and T13-AT-007 (Transfer Learning Attacks) when used as a foundation model.