T13-AT-003HIGH
Pipeline Injection Attacks
T13 · AI Supply Chain & Artifact Trust →Risk score240
RatingHigh
Procedures10
Severity
Mechanism
ML pipelines orchestrate the end-to-end workflow from data ingestion through model training, evaluation, and deployment. These pipelines run on platforms like Kubeflow, MLflow, Airflow, SageMaker Pipelines, and increasingly on general-purpose CI/CD systems (GitHub Actions, Jenkins, GitLab CI). The s1ngularity attack (Aug 2025) originated from a GitHub Actions workflow injection vulnerability in the Nx repository — demonstrating that CI/CD compromise is a practical entry point for AI supply chain attacks.
Detection
- Pipeline code review with mandatory PR approval for pipeline changes
- Pipeline execution monitoring: compare actual execution steps against expected pipeline definition
- Secret rotation and access logging: track all credential usage within pipeline runs
- Container image integrity: verify image hashes at runtime against signed manifests
Mitigation
Pipeline-as-code with mandatory review and signingHIGH
SLSA (Supply chain Levels for Software Artifacts) complianceHIGH
Ephemeral CI environments with minimal credentialsHIGH
Container image signing and runtime verificationMEDIUM
Chaining
Open in the technique browser →Pipeline injection chains to virtually every other T13 technique as the infrastructure-level enabler. GitHub Actions compromise (T13-AP-003A) chains to T13-AT-001 (Model Repository Poisoning) by enabling direct model replacement.