Development Tool Compromise
T13 · AI Supply Chain & Artifact Trust →ML development tools — Jupyter notebooks, VS Code with ML extensions, Google Colab, Weights & Biases, Gradio, Streamlit, and increasingly AI coding assistants (Cursor, Claude Code, GitHub Copilot) — are the interface between developers and the ML pipeline. The s1ngularity attack specifically targeted AI CLI tool configurations, recognizing that AI coding assistants have access to code repositories, cloud credentials, and development infrastructure. Compromising a development tool gives the attacker persistent access to the developer's environment and, through it, to every project they work on.
- IDE extension auditing: review permissions and behavior of installed extensions
- Notebook content scanning: parse .ipynb files for hidden cells, obfuscated code, and suspicious imports
- Secret scanning in development environments: automated detection of exposed credentials
- MCP tool validation: review tool descriptions for hidden instructions before loading
Development tool compromise is the entry point for many supply chain attack chains. Credential harvesting (T13-AP-014A, T13-AP-014I) chains to T13-AT-001 (Model Repository Poisoning), T13-AT-009 (Cloud Training Attacks), and T13-AT-013 (Container Registry Poisoning) via stolen access tokens.