T13-AT-004HIGH
Dependency Confusion
T13 · AI Supply Chain & Artifact Trust →Risk score235
RatingHigh
Procedures10
Severity
Mechanism
ML projects depend on complex dependency trees: PyTorch/TensorFlow, CUDA toolkits, data processing libraries, serving frameworks, and dozens of transitive dependencies. The s1ngularity attack (Aug 2025) compromised the Nx package — a build system dependency — affecting 4.6 million weekly downloads. The Shai-Hulud campaign (Sep–Nov 2025) used stolen tokens from s1ngularity to compromise additional npm packages in a worm-like propagation.
Detection
- Software Composition Analysis (SCA): scan all dependencies for known compromises and unexpected versions
- Lockfile integrity: verify lockfile hashes match expected packages; alert on any lockfile change
- Install-time behavior monitoring: sandbox package installation and monitor for unexpected network connections, file access, or credential reads
- Private registry proxying: route all installs through a private registry that caches verified versions
Mitigation
Strict version pinning with lockfile hash verificationHIGH
Private PyPI/npm mirror with admission controlHIGH
Post-install network monitoring (sandbox installs)MEDIUM
Namespace reservation for internal packagesMEDIUM
Chaining
Open in the technique browser →Dependency confusion chains to T13-AT-003 (Pipeline Injection) — a compromised dependency executes within the pipeline. Credential harvesting (T13-AP-004A, T13-AP-004F) chains to T13-AT-009 (Cloud Training Attacks) and T13-AT-001 (Model Repository Poisoning) via stolen access tokens.