v2.4.0 | Report Errata
docs security docs security

Supply Chain — Attack Vectors (Dependencies, Pre-Trained Models, Third-Party Services)

The AI system’s supply chain has three layers, each with distinct attack vectors. The software dependency layer (ML frameworks, data processing libraries, serving frameworks) is vulnerable to typosquatting, dependency confusion, and compromised package updates. An attacker who publishes a malicious package with a name similar to a legitimate dependency can compromise the system if the developer installs the wrong package.

The model component layer (pre-trained models, tokenisers, embedding models) is vulnerable to model backdoors and poisoned weights. These artefacts are distributed without the same signing and verification infrastructure that software packages enjoy. A compromised pre-trained model can introduce systematic biases or hidden triggers that are invisible during standard evaluation. The infrastructure layer (container base images, operating system packages, cloud service configurations) is vulnerable to compromised base images and misconfigured cloud services.

This assessment should be read alongside (dependency scanning), (licence compliance), (SBOMs), and, which provide the operational framework for ongoing supply chain monitoring. The supply chain risk assessment, SBOM generation and review process, and vendor security assessment results feed into Module 9.

Key outputs

  • Three-layer supply chain risk assessment
  • Per-layer attack vector identification
  • Integration with SBOM, dependency scanning, and licence compliance processes
  • Module 9 AISDP documentation
On This Page