AI supply chain attacks: poisoned models, malicious LoRA adapters, and backdoored GGUF files

When you install software on a computer, you know (or should know) there are risks if you download from unofficial sources. But what happens when you download an AI model from the internet?

The answer, until 2024-2025, was that almost nobody thought about it. Models were shared on platforms like HuggingFace with almost no security checks. And researchers at Trail of Bits and others demonstrated this was a serious problem.

An AI model can be poisoned in various ways: during training (data poisoning), after training via a malicious LoRA adapter, or through the file format itself (GGUF files used for quantized models can contain hidden executable code using Python's pickle serialization system). A model that appears to work normally may have a backdoor activated by a specific trigger, or it may execute arbitrary code the moment it is loaded into memory.

HuggingFace responded by launching mandatory malware scanning for all models uploaded to the platform. But the problem is broader: it affects all model repositories, all file formats, and the entire supply chain of AI components used in applications.