<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Supply Chain &#183; PiniShv</title><link>https://pinishv.com/tags/supply-chain/</link><description>Pini Shvartsman leads AI transformation inside a 100+ engineer SaaS org. Field notes on autonomous engineering: AI-powered execution, human accountability.</description><generator>Hugo -- gohugo.io</generator><language>en</language><copyright>© 2026 Pini Shvartsman</copyright><lastBuildDate>Sun, 22 Mar 2026 20:00:00 +0200</lastBuildDate><atom:link href="https://pinishv.com/tags/supply-chain/index.xml" rel="self" type="application/rss+xml"/><item><title>Glassworm Is Back. Your Code Review Won't Catch It.</title><link>https://pinishv.com/articles/glassworm-invisible-unicode-supply-chain/</link><pubDate>Sun, 22 Mar 2026 20:00:00 +0200</pubDate><guid>https://pinishv.com/articles/glassworm-invisible-unicode-supply-chain/</guid><description>151 malicious packages in one week. The payload is invisible. Literally invisible. Glassworm uses Unicode characters that don&amp;rsquo;t render in any editor, terminal, or code review tool. And the cover commits are AI-generated. Here&amp;rsquo;s how it works and why your current defenses probably miss it.</description><content:encoded>&lt;p>Between March 3 and 9, 2026, &lt;a
href="https://www.aikido.dev/blog/the-return-of-the-invisible-threat-hidden-pua-unicode-hits-github-repositorties"
target="_blank"
>Aikido Security documented&lt;/a> 151 malicious packages uploaded across GitHub repositories, npm, and the VS Code/Open VSX marketplace. The campaign is called Glassworm, and it&amp;rsquo;s back for a second wave after first appearing in March 2025.&lt;/p>
&lt;p>What makes Glassworm different from most supply chain attacks is the technique. The malicious payload is invisible. Not obfuscated. Not minified. &lt;a
href="https://agent-wars.com/news/2026-03-14-glassworm-unicode-pua-supply-chain-attack"
target="_blank"
>Invisible&lt;/a>.&lt;/p>
&lt;p>I&amp;rsquo;ve been writing about &lt;a
href="https://pinishv.com/articles/ai-browser-hijacking-how-companies-fight-prompt-injection/">AI security threats&lt;/a> and &lt;a
href="https://pinishv.com/articles/securing-the-ai-supply-chain/">supply chain risks&lt;/a> for a while. Glassworm is the kind of attack that should change how you think about what &amp;ldquo;reviewing code&amp;rdquo; actually means.&lt;/p>
&lt;h2 class="relative group">How it works
&lt;div id="how-it-works" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#how-it-works" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Unicode has a range called the Private Use Area (PUA): characters from &lt;code>U+FE00&lt;/code> to &lt;code>U+FE0F&lt;/code> and &lt;code>U+E0100&lt;/code> to &lt;code>U+E01EF&lt;/code>. These characters are valid Unicode. They exist in the spec. But they don&amp;rsquo;t render. Not in VS Code. Not in your terminal. Not in GitHub&amp;rsquo;s diff view. Not in any standard code review interface.&lt;/p>
&lt;p>Glassworm encodes malicious JavaScript payloads as sequences of these invisible characters, stuffed inside what looks like an empty string. The actual code in the file looks something like this:&lt;/p>
&lt;div class="highlight">&lt;pre tabindex="0" class="chroma">&lt;code class="language-javascript" data-lang="javascript">&lt;span class="line">&lt;span class="cl">&lt;span class="kr">const&lt;/span> &lt;span class="nx">s&lt;/span> &lt;span class="o">=&lt;/span> &lt;span class="nx">v&lt;/span> &lt;span class="p">=&amp;gt;&lt;/span> &lt;span class="p">[...&lt;/span>&lt;span class="nx">v&lt;/span>&lt;span class="p">].&lt;/span>&lt;span class="nx">map&lt;/span>&lt;span class="p">(&lt;/span>&lt;span class="nx">w&lt;/span> &lt;span class="p">=&amp;gt;&lt;/span> &lt;span class="p">(&lt;/span>
&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl"> &lt;span class="nx">w&lt;/span> &lt;span class="o">=&lt;/span> &lt;span class="nx">w&lt;/span>&lt;span class="p">.&lt;/span>&lt;span class="nx">codePointAt&lt;/span>&lt;span class="p">(&lt;/span>&lt;span class="mi">0&lt;/span>&lt;span class="p">),&lt;/span>
&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl"> &lt;span class="nx">w&lt;/span> &lt;span class="o">&amp;gt;=&lt;/span> &lt;span class="mh">0xFE00&lt;/span> &lt;span class="o">&amp;amp;&amp;amp;&lt;/span> &lt;span class="nx">w&lt;/span> &lt;span class="o">&amp;lt;=&lt;/span> &lt;span class="mh">0xFE0F&lt;/span> &lt;span class="o">?&lt;/span> &lt;span class="nx">w&lt;/span> &lt;span class="o">-&lt;/span> &lt;span class="mh">0xFE00&lt;/span> &lt;span class="o">:&lt;/span>
&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl"> &lt;span class="nx">w&lt;/span> &lt;span class="o">&amp;gt;=&lt;/span> &lt;span class="mh">0xE0100&lt;/span> &lt;span class="o">&amp;amp;&amp;amp;&lt;/span> &lt;span class="nx">w&lt;/span> &lt;span class="o">&amp;lt;=&lt;/span> &lt;span class="mh">0xE01EF&lt;/span> &lt;span class="o">?&lt;/span> &lt;span class="nx">w&lt;/span> &lt;span class="o">-&lt;/span> &lt;span class="mh">0xE0100&lt;/span> &lt;span class="o">+&lt;/span> &lt;span class="mi">16&lt;/span> &lt;span class="o">:&lt;/span> &lt;span class="kc">null&lt;/span>
&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">&lt;span class="p">)).&lt;/span>&lt;span class="nx">filter&lt;/span>&lt;span class="p">(&lt;/span>&lt;span class="nx">n&lt;/span> &lt;span class="p">=&amp;gt;&lt;/span> &lt;span class="nx">n&lt;/span> &lt;span class="o">!==&lt;/span> &lt;span class="kc">null&lt;/span>&lt;span class="p">);&lt;/span>
&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">
&lt;/span>&lt;/span>&lt;span class="line">&lt;span class="cl">&lt;span class="nb">eval&lt;/span>&lt;span class="p">(&lt;/span>&lt;span class="nx">Buffer&lt;/span>&lt;span class="p">.&lt;/span>&lt;span class="nx">from&lt;/span>&lt;span class="p">(&lt;/span>&lt;span class="nx">s&lt;/span>&lt;span class="p">(&lt;/span>&lt;span class="sb">``&lt;/span>&lt;span class="p">)).&lt;/span>&lt;span class="nx">toString&lt;/span>&lt;span class="p">(&lt;/span>&lt;span class="s1">&amp;#39;utf-8&amp;#39;&lt;/span>&lt;span class="p">));&lt;/span>
&lt;/span>&lt;/span>&lt;/code>&lt;/pre>&lt;/div>&lt;p>Those backticks at the end look empty. They&amp;rsquo;re not. They contain hundreds of invisible PUA characters that, when decoded by the function above, produce a full malicious payload. The &lt;code>eval()&lt;/code> executes it at runtime. No visible trace in the source file.&lt;/p>
&lt;p>The decoded payloads steal tokens, credentials, and secrets, using Solana blockchain as the command-and-control channel to make the exfiltration harder to trace and block.&lt;/p>
&lt;h2 class="relative group">Why this is harder to catch than you think
&lt;div id="why-this-is-harder-to-catch-than-you-think" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#why-this-is-harder-to-catch-than-you-think" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Traditional code review fails completely against this. A human looking at the diff sees a small utility function and an empty string. Syntax highlighting doesn&amp;rsquo;t flag it. Linting doesn&amp;rsquo;t catch it because the characters are valid Unicode. Grep doesn&amp;rsquo;t find it because you can&amp;rsquo;t search for characters you can&amp;rsquo;t see.&lt;/p>
&lt;p>AI code review tools face the same problem. They operate on the visible text of the code. If the malicious content is invisible characters inside a string literal, the model sees an empty string. The &lt;a
href="https://techcrunch.com/2026/03/09/anthropic-launches-code-review-tool-to-check-flood-of-ai-generated-code"
target="_blank"
>Anthropic Code Review tool&lt;/a> that launched this month dispatches agents to analyze PRs for bugs and security issues. But if the payload isn&amp;rsquo;t visible in the code representation the model receives, it doesn&amp;rsquo;t get analyzed.&lt;/p>
&lt;p>And Glassworm&amp;rsquo;s operators are making detection even harder. The visible parts of malicious commits, the parts humans and AI can see, are &lt;a
href="https://agent-wars.com/news/2026-03-15-glassworm-returns-invisible-unicode-attacks-hit-150-github-repos-npm-and-vs-code"
target="_blank"
>deliberately convincing&lt;/a>. Documentation tweaks. Version bumps. Minor bug fixes. Stylistically consistent with the target repository. Security researchers believe attackers are using LLMs to generate these cover changes at scale across 151+ different codebases.&lt;/p>
&lt;p>So you have AI generating realistic-looking innocent commits to cover payloads that are invisible to both human reviewers and AI reviewers. That&amp;rsquo;s a new class of problem.&lt;/p>
&lt;h2 class="relative group">What this means for your team
&lt;div id="what-this-means-for-your-team" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#what-this-means-for-your-team" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>If you&amp;rsquo;re pulling npm packages, installing VS Code extensions, or depending on open source libraries (so, everyone), here&amp;rsquo;s what matters:&lt;/p>
&lt;p>&lt;strong>Your current review process probably doesn&amp;rsquo;t detect this.&lt;/strong> Unless your toolchain specifically scans for Unicode PUA characters in source files, invisible payloads pass through. &lt;a
href="https://snyk.io/articles/defending-against-glassworm/"
target="_blank"
>Snyk&amp;rsquo;s analysis&lt;/a> recommends detecting Unicode characters by category rather than maintaining explicit character lists, which means your existing SAST tools need updating.&lt;/p>
&lt;p>&lt;strong>Pin your dependencies and audit updates.&lt;/strong> Glassworm targets existing repos with seemingly innocent version bumps and doc changes. If you auto-merge dependency updates or trust patch versions without review, you&amp;rsquo;re exposed.&lt;/p>
&lt;p>&lt;strong>Scan for &lt;code>eval()&lt;/code> and dynamic execution patterns.&lt;/strong> The invisible payload still needs &lt;code>eval()&lt;/code> or an equivalent to execute. Static analysis rules that flag dynamic code execution in dependency code are your best early warning.&lt;/p>
&lt;p>&lt;strong>Be suspicious of repos you haven&amp;rsquo;t verified recently.&lt;/strong> Some of the compromised repos had over 1,400 GitHub stars. Popularity doesn&amp;rsquo;t mean safety. The Wasmer WebAssembly runtime was among the targeted projects.&lt;/p>
&lt;p>&lt;strong>VS Code extensions are a vector.&lt;/strong> Glassworm hit the Open VSX marketplace too. Extensions run with significant privileges. If your team installs extensions casually, you have an unmonitored attack surface.&lt;/p>
&lt;h2 class="relative group">The bigger picture
&lt;div id="the-bigger-picture" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-bigger-picture" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>I&amp;rsquo;ve written about &lt;a
href="https://pinishv.com/articles/ai-security-culture-problem/">AI security as a culture problem&lt;/a> and &lt;a
href="https://pinishv.com/articles/building-ai-systems-that-dont-break-under-attack/">building systems that don&amp;rsquo;t break under attack&lt;/a>. Glassworm sits at the intersection of two trends I keep coming back to.&lt;/p>
&lt;p>First, AI is accelerating both sides. Defenders are using AI to review code faster. Attackers are using AI to generate convincing cover commits at scale. The speed advantage isn&amp;rsquo;t one-sided.&lt;/p>
&lt;p>Second, the supply chain is where the real vulnerability concentration lives. Your code might be clean. Your review process might be solid. But if one of your 400 transitive dependencies gets compromised with an invisible payload that no human or AI reviewer can see, none of that matters.&lt;/p>
&lt;p>Glassworm didn&amp;rsquo;t exploit a zero-day. It didn&amp;rsquo;t find a novel vulnerability. It exploited the gap between what we look at and what we actually see. That gap is getting wider as codebases grow faster, reviews get thinner, and both sides of the attack use AI to scale.&lt;/p>
&lt;p>The fix isn&amp;rsquo;t one tool or one policy. It&amp;rsquo;s treating your supply chain with the same paranoia you&amp;rsquo;d treat your own production code. Because right now, for a lot of teams, that&amp;rsquo;s the door nobody&amp;rsquo;s watching.&lt;/p>
&lt;hr>
&lt;p>&lt;em>Seen something like Glassworm in your own supply chain? Dealing with invisible threats in your dependencies? I&amp;rsquo;d love to hear about it. Find me on &lt;a
href="https://x.com/PiniShv"
target="_blank"
>X&lt;/a> or &lt;a
href="https://t.me/by_Pini"
target="_blank"
>Telegram&lt;/a>.&lt;/em>&lt;/p></content:encoded><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://pinishv.com/articles/glassworm-invisible-unicode-supply-chain/feature.png"/></item><item><title>Securing the AI Supply Chain: The Threat Nobody's Talking About</title><link>https://pinishv.com/articles/securing-the-ai-supply-chain/</link><pubDate>Mon, 13 Oct 2025 00:00:00 +0000</pubDate><guid>https://pinishv.com/articles/securing-the-ai-supply-chain/</guid><description>We&amp;rsquo;re building AI systems on top of models, datasets, and tools we don&amp;rsquo;t control. The supply chain is the attack vector nobody&amp;rsquo;s defending, and the implications are staggering.</description><content:encoded>&lt;p>&lt;em>This is Part 3 of the &amp;ldquo;Securing Intelligence&amp;rdquo; series on AI security.&lt;/em>&lt;/p>
&lt;hr>
&lt;p>You&amp;rsquo;ve secured your prompts. You&amp;rsquo;ve implemented defensive architectures. You&amp;rsquo;ve got AI firewalls and zero-trust principles in place. You feel good about your security posture.&lt;/p>
&lt;p>Then someone on your team downloads a pre-trained model from Hugging Face, copies a prompt template from a popular GitHub repo, or installs a LangChain plugin to add functionality. And just like that, you&amp;rsquo;ve potentially introduced malicious code into your AI system that bypasses every defense you carefully built.&lt;/p>
&lt;p>&lt;strong>Welcome to the AI supply chain problem: the attack vector that most organizations don&amp;rsquo;t even know exists.&lt;/strong>&lt;/p>
&lt;p>This isn&amp;rsquo;t theoretical. We&amp;rsquo;re building AI systems on top of components we don&amp;rsquo;t control, can&amp;rsquo;t audit, and have no way to verify. The parallels to SolarWinds and Log4j should terrify you. But unlike those traditional supply chain attacks, AI supply chain compromises are harder to detect, easier to execute, and potentially more damaging.&lt;/p>
&lt;p>Let me show you why this keeps security professionals up at night.&lt;/p>
&lt;h2 class="relative group">The Pre-Trained Model Problem
&lt;div id="the-pre-trained-model-problem" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-pre-trained-model-problem" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>When you download a model from Hugging Face, PyTorch Hub, or any model repository, what are you actually getting?&lt;/p>
&lt;p>&lt;strong>A multi-gigabyte black box that could contain anything.&lt;/strong>&lt;/p>
&lt;p>You&amp;rsquo;re trusting that:&lt;/p>
&lt;ul>
&lt;li>The model wasn&amp;rsquo;t trained on poisoned data designed to create backdoors&lt;/li>
&lt;li>The weights weren&amp;rsquo;t modified after training to introduce vulnerabilities&lt;/li>
&lt;li>The model card accurately describes what the model does&lt;/li>
&lt;li>The hosting platform wasn&amp;rsquo;t compromised&lt;/li>
&lt;li>The original researcher had good security practices&lt;/li>
&lt;/ul>
&lt;p>That&amp;rsquo;s a lot of trust for something running in your production environment with access to your data.&lt;/p>
&lt;h3 class="relative group">Backdoored Models Are Real
&lt;div id="backdoored-models-are-real" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#backdoored-models-are-real" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;p>Research has demonstrated that attackers can poison training data to create models with targeted backdoors. The model performs normally 99.9% of the time, but when it sees a specific trigger phrase, it executes attacker-controlled behavior.&lt;/p>
&lt;p>Imagine a code completion model that generates secure code most of the time, but when it encounters a specific comment pattern in a particular library, it introduces a subtle vulnerability. Or a sentiment analysis model that correctly classifies most text, but consistently misclassifies content from specific sources.&lt;/p>
&lt;p>&lt;strong>The scary part&lt;/strong>: These backdoors can survive fine-tuning. You can train the model on your own clean data, and the backdoor remains, dormant, waiting for its trigger.&lt;/p>
&lt;h3 class="relative group">Weight Poisoning
&lt;div id="weight-poisoning" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#weight-poisoning" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;p>Even without training data access, attackers can modify model weights directly. Researchers have shown you can inject malicious behavior into a model by modifying less than 0.1% of its parameters. Changes so small they&amp;rsquo;re nearly impossible to detect through standard testing.&lt;/p>
&lt;p>You download what looks like a legitimate model. It performs well on your benchmarks. It seems fine in testing. Then in production, under specific conditions, it starts exhibiting compromised behavior.&lt;/p>
&lt;p>&lt;strong>Detection is nearly impossible&lt;/strong> without knowing exactly what you&amp;rsquo;re looking for. Traditional code analysis doesn&amp;rsquo;t work; these are numerical values, not code. You can&amp;rsquo;t just scan for vulnerabilities like you would with software dependencies.&lt;/p>
&lt;h2 class="relative group">The Prompt Template Trap
&lt;div id="the-prompt-template-trap" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-prompt-template-trap" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Your team needs to build a customer support bot. Someone finds a great prompt template on GitHub with 5,000 stars. You copy it into your system. Congratulations: you might have just deployed a prompt injection vulnerability.&lt;/p>
&lt;p>Popular prompt templates are attack vectors hiding in plain sight. An attacker doesn&amp;rsquo;t need to compromise your infrastructure. They just need to contribute to popular open-source repos and wait for people to copy their code.&lt;/p>
&lt;p>&lt;strong>What malicious prompt templates can do:&lt;/strong>&lt;/p>
&lt;ul>
&lt;li>Include hidden instructions that activate under specific conditions&lt;/li>
&lt;li>Contain subtle biases that influence model behavior&lt;/li>
&lt;li>Leak information through cleverly crafted examples&lt;/li>
&lt;li>Create vulnerabilities in how they structure system vs. user content&lt;/li>
&lt;/ul>
&lt;p>The challenge is that prompt templates look harmless. They&amp;rsquo;re just text files. Your security team isn&amp;rsquo;t reviewing them the way they would code. But they&amp;rsquo;re executable instructions for an AI system, and they deserve the same scrutiny.&lt;/p>
&lt;h2 class="relative group">Plugin and Extension Risks
&lt;div id="plugin-and-extension-risks" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#plugin-and-extension-risks" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>The LangChain ecosystem, LlamaIndex, and similar frameworks have thriving plugin ecosystems. Need your AI to search the web? There&amp;rsquo;s a plugin. Need it to access databases? There&amp;rsquo;s a plugin. Need it to integrate with Slack? There&amp;rsquo;s a plugin.&lt;/p>
&lt;p>&lt;strong>Each plugin is executable code running with your AI&amp;rsquo;s permissions.&lt;/strong> And most of them are maintained by individual developers or small teams with varying security practices.&lt;/p>
&lt;p>We&amp;rsquo;re repeating the npm ecosystem&amp;rsquo;s mistakes, but with AI. Remember the event-stream compromise? A popular npm package with millions of downloads was modified to steal cryptocurrency. The maintainer handed control to someone who seemed legitimate, and that person introduced malicious code.&lt;/p>
&lt;p>The AI ecosystem is even more vulnerable because:&lt;/p>
&lt;ul>
&lt;li>Plugins often need broad permissions to be useful&lt;/li>
&lt;li>Testing is harder (how do you verify an AI tool works correctly in all cases?)&lt;/li>
&lt;li>The community is newer and security practices are immature&lt;/li>
&lt;li>The potential damage is greater (AI systems often have access to sensitive data)&lt;/li>
&lt;/ul>
&lt;h2 class="relative group">The Third-Party API Problem
&lt;div id="the-third-party-api-problem" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-third-party-api-problem" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Most organizations aren&amp;rsquo;t running their own LLMs. They&amp;rsquo;re using OpenAI, Anthropic, Cohere, or other hosted services. That&amp;rsquo;s a dependency too, and one you have even less control over.&lt;/p>
&lt;p>&lt;strong>What could go wrong:&lt;/strong>&lt;/p>
&lt;ul>
&lt;li>Provider compromise (their infrastructure is breached)&lt;/li>
&lt;li>Model updates that change behavior unexpectedly&lt;/li>
&lt;li>Data retention and privacy concerns&lt;/li>
&lt;li>Service outages that break your critical systems&lt;/li>
&lt;li>Provider going out of business or changing terms&lt;/li>
&lt;/ul>
&lt;p>You&amp;rsquo;ve built your entire AI strategy on top of an API you don&amp;rsquo;t control. What&amp;rsquo;s your contingency plan if that API disappears tomorrow? Or worse, if it gets compromised and starts returning subtly malicious outputs?&lt;/p>
&lt;p>&lt;strong>The multi-provider trap&lt;/strong>: You might think using multiple providers gives you redundancy. But now you have multiple trust dependencies, different security models to evaluate, and the challenge of ensuring consistent behavior across providers.&lt;/p>
&lt;h2 class="relative group">Vector Database Poisoning
&lt;div id="vector-database-poisoning" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#vector-database-poisoning" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Here&amp;rsquo;s one most teams haven&amp;rsquo;t thought about: RAG systems are only as trustworthy as their vector databases.&lt;/p>
&lt;p>If an attacker can inject malicious documents into your knowledge base, they can influence your AI&amp;rsquo;s responses. We covered this as indirect prompt injection in &lt;a
href="../prompt-injection-2-0-the-new-frontier-of-ai-attacks">Part 1&lt;/a>, but the supply chain angle is even more insidious.&lt;/p>
&lt;p>&lt;strong>Sources of contaminated vector databases:&lt;/strong>&lt;/p>
&lt;ul>
&lt;li>Inherited data from previous teams or acquisitions&lt;/li>
&lt;li>Documents scraped from untrusted sources&lt;/li>
&lt;li>&amp;ldquo;Clean&amp;rdquo; datasets downloaded from research repositories&lt;/li>
&lt;li>Backup restores from compromised snapshots&lt;/li>
&lt;li>Insider threats from contractors with data access&lt;/li>
&lt;/ul>
&lt;p>Unlike prompt injection, which happens at query time, vector database poisoning is persistent. It sits in your knowledge base, waiting to be retrieved and used to influence responses.&lt;/p>
&lt;p>&lt;strong>The detection problem&lt;/strong>: How do you audit thousands or millions of embedded documents for malicious content? Traditional scanning doesn&amp;rsquo;t work; the malicious instructions might be perfectly valid text that only becomes dangerous when retrieved as context for an LLM.&lt;/p>
&lt;h2 class="relative group">The Open-Source Dependency Chain
&lt;div id="the-open-source-dependency-chain" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-open-source-dependency-chain" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Modern AI systems rely on dozens of dependencies: LangChain, LlamaIndex, HuggingFace Transformers, vector databases, embedding models, and countless utility libraries.&lt;/p>
&lt;p>&lt;strong>Each dependency is a potential compromise point.&lt;/strong> And AI dependencies are particularly dangerous because:&lt;/p>
&lt;ul>
&lt;li>They often have broad permissions (file system access, network access, execution rights)&lt;/li>
&lt;li>Updates are frequent and fast-moving (breaking changes are common)&lt;/li>
&lt;li>Security audits are rare (everyone&amp;rsquo;s moving too fast)&lt;/li>
&lt;li>The transitive dependency chain is deep (your direct dependencies have dependencies)&lt;/li>
&lt;/ul>
&lt;p>We learned this lesson with traditional software supply chain attacks. But AI teams are making the same mistakes because the technology is new and everyone&amp;rsquo;s in a rush to ship.&lt;/p>
&lt;h3 class="relative group">The AI Supply Chain Risk Landscape
&lt;div id="the-ai-supply-chain-risk-landscape" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-ai-supply-chain-risk-landscape" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;p>Here&amp;rsquo;s a practical view of common AI components and their risk profiles:&lt;/p>
&lt;table>
&lt;thead>
&lt;tr>
&lt;th>Component Type&lt;/th>
&lt;th>Examples&lt;/th>
&lt;th>Risk Level&lt;/th>
&lt;th>Primary Concerns&lt;/th>
&lt;th>Verification Difficulty&lt;/th>
&lt;/tr>
&lt;/thead>
&lt;tbody>
&lt;tr>
&lt;td>&lt;strong>Pre-trained Models&lt;/strong>&lt;/td>
&lt;td>Hugging Face, PyTorch Hub&lt;/td>
&lt;td>High&lt;/td>
&lt;td>Backdoors, poisoned weights, malicious behavior&lt;/td>
&lt;td>Very Difficult&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>Prompt Templates&lt;/strong>&lt;/td>
&lt;td>GitHub repos, blogs&lt;/td>
&lt;td>Medium&lt;/td>
&lt;td>Hidden instructions, injection vectors&lt;/td>
&lt;td>Moderate&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>Plugins/Extensions&lt;/strong>&lt;/td>
&lt;td>LangChain tools, custom agents&lt;/td>
&lt;td>High&lt;/td>
&lt;td>Broad permissions, code execution&lt;/td>
&lt;td>Moderate&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>Vector Databases&lt;/strong>&lt;/td>
&lt;td>Pinecone, Weaviate, Chroma&lt;/td>
&lt;td>Medium&lt;/td>
&lt;td>Data poisoning, access control&lt;/td>
&lt;td>Difficult&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>Third-party APIs&lt;/strong>&lt;/td>
&lt;td>OpenAI, Anthropic, Cohere&lt;/td>
&lt;td>Medium&lt;/td>
&lt;td>Provider compromise, data privacy&lt;/td>
&lt;td>Very Difficult&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>Training Datasets&lt;/strong>&lt;/td>
&lt;td>Open datasets, scraped data&lt;/td>
&lt;td>High&lt;/td>
&lt;td>Poisoned data, bias injection&lt;/td>
&lt;td>Very Difficult&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>Embedding Models&lt;/strong>&lt;/td>
&lt;td>Sentence transformers, OpenAI&lt;/td>
&lt;td>Medium&lt;/td>
&lt;td>Behavior manipulation&lt;/td>
&lt;td>Difficult&lt;/td>
&lt;/tr>
&lt;tr>
&lt;td>&lt;strong>Framework Dependencies&lt;/strong>&lt;/td>
&lt;td>LangChain, LlamaIndex&lt;/td>
&lt;td>Medium&lt;/td>
&lt;td>Transitive dependencies, updates&lt;/td>
&lt;td>Moderate&lt;/td>
&lt;/tr>
&lt;/tbody>
&lt;/table>
&lt;p>Use this as a starting point for your supply chain risk assessment. Not all components need the same level of scrutiny; focus your efforts on high-risk items first.&lt;/p>
&lt;h2 class="relative group">What You Can Actually Do
&lt;div id="what-you-can-actually-do" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#what-you-can-actually-do" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>This all sounds dire. And honestly, it is. But giving up isn&amp;rsquo;t an option. Here&amp;rsquo;s what responsible AI teams are doing:&lt;/p>
&lt;h3 class="relative group">Verify Provenance
&lt;div id="verify-provenance" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#verify-provenance" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;p>Know where your models, data, and tools come from. Maintain an inventory:&lt;/p>
&lt;ul>
&lt;li>Which models are you using, and who trained them?&lt;/li>
&lt;li>What datasets were used in training?&lt;/li>
&lt;li>Which prompt templates came from external sources?&lt;/li>
&lt;li>What plugins and extensions are installed?&lt;/li>
&lt;/ul>
&lt;p>&lt;strong>Treat AI components like you treat software dependencies.&lt;/strong> You wouldn&amp;rsquo;t &lt;code>npm install&lt;/code> random packages without reviewing them. Don&amp;rsquo;t download random models without scrutiny.&lt;/p>
&lt;h3 class="relative group">Implement Model Validation
&lt;div id="implement-model-validation" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#implement-model-validation" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;p>Before deploying a model, test it aggressively:&lt;/p>
&lt;ul>
&lt;li>Benchmark on diverse datasets, not just the happy path&lt;/li>
&lt;li>Test for bias and unexpected behavior patterns&lt;/li>
&lt;li>Look for anomalies in edge cases&lt;/li>
&lt;li>Compare behavior to known-good baselines&lt;/li>
&lt;/ul>
&lt;p>This won&amp;rsquo;t catch sophisticated backdoors, but it will catch sloppy attacks and obvious compromises.&lt;/p>
&lt;h3 class="relative group">Sandbox External Components
&lt;div id="sandbox-external-components" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#sandbox-external-components" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;p>Run untrusted models and plugins in sandboxed environments with limited permissions. If you&amp;rsquo;re testing a new model, don&amp;rsquo;t give it production database access right away.&lt;/p>
&lt;p>&lt;strong>Air-gapped evaluation environments&lt;/strong> are your friend. Test models on representative but isolated data before promoting them to production.&lt;/p>
&lt;h3 class="relative group">Monitor for Anomalies
&lt;div id="monitor-for-anomalies" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#monitor-for-anomalies" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;p>Establish baselines for normal behavior and alert on deviations:&lt;/p>
&lt;ul>
&lt;li>Unexpected data access patterns&lt;/li>
&lt;li>Output characteristics that don&amp;rsquo;t match training&lt;/li>
&lt;li>Performance degradation or latency changes&lt;/li>
&lt;li>Unusual API call patterns from plugins&lt;/li>
&lt;/ul>
&lt;p>The goal isn&amp;rsquo;t to prevent compromise; it&amp;rsquo;s to detect it quickly and respond before damage spreads.&lt;/p>
&lt;h3 class="relative group">Pin Versions and Review Updates
&lt;div id="pin-versions-and-review-updates" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#pin-versions-and-review-updates" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;p>Don&amp;rsquo;t auto-update AI dependencies. Pin specific versions, test updates in staging, and review changelogs before deploying to production.&lt;/p>
&lt;p>This seems obvious, but I&amp;rsquo;ve seen teams that carefully version-control their application code while their AI dependencies update automatically every time they deploy. That&amp;rsquo;s a recipe for production surprises.&lt;/p>
&lt;h3 class="relative group">Build Redundancy and Fallbacks
&lt;div id="build-redundancy-and-fallbacks" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#build-redundancy-and-fallbacks" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h3>
&lt;p>Don&amp;rsquo;t bet your entire system on a single model or provider. Have fallback options:&lt;/p>
&lt;ul>
&lt;li>Alternative models for critical paths&lt;/li>
&lt;li>Cached responses for common queries&lt;/li>
&lt;li>Graceful degradation when AI components fail&lt;/li>
&lt;li>Manual processes as last resorts&lt;/li>
&lt;/ul>
&lt;p>The goal is resilience, not just security. But resilience is security: if your AI system being compromised doesn&amp;rsquo;t take down your entire business, you&amp;rsquo;re in a better position.&lt;/p>
&lt;h2 class="relative group">The Industry Needs to Do Better
&lt;div id="the-industry-needs-to-do-better" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-industry-needs-to-do-better" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>Individual teams can&amp;rsquo;t solve this alone. We need industry-level changes:&lt;/p>
&lt;p>&lt;strong>Model signing and verification&lt;/strong> - Cryptographic signatures that prove a model came from a specific source and wasn&amp;rsquo;t tampered with. This exists for software packages; we need it for AI components.&lt;/p>
&lt;p>&lt;strong>Standardized security audits&lt;/strong> - Third-party audits of popular models, frameworks, and tools. Right now, security review of AI components is ad-hoc at best.&lt;/p>
&lt;p>&lt;strong>Vulnerability disclosure processes&lt;/strong> - When someone finds a backdoor in a popular model, where do they report it? We need CVE equivalents for AI components.&lt;/p>
&lt;p>&lt;strong>Transparency requirements&lt;/strong> - Training data provenance, fine-tuning history, and known limitations should be documented standards, not optional extras.&lt;/p>
&lt;p>&lt;strong>Supply chain attestation&lt;/strong> - Ways to prove that your AI system only uses verified, audited components. This is critical for regulated industries.&lt;/p>
&lt;p>Some of this is starting to happen. The ML Commons, NIST, and various industry groups are working on standards. But adoption is slow, and most organizations are moving too fast to wait for perfect solutions.&lt;/p>
&lt;h2 class="relative group">The Uncomfortable Truth
&lt;div id="the-uncomfortable-truth" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#the-uncomfortable-truth" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>The AI supply chain is fundamentally insecure, and it&amp;rsquo;s going to stay that way for a while. We&amp;rsquo;re building critical systems on top of components we can&amp;rsquo;t fully trust or verify.&lt;/p>
&lt;p>&lt;strong>This is the cost of moving fast.&lt;/strong> The organizations that succeed will be the ones that acknowledge the risk and build accordingly: with monitoring, redundancy, and incident response plans that assume compromise.&lt;/p>
&lt;p>The ones that fail will be the ones that discover their critical AI system has been running compromised code for six months, and they have no way to know what damage has been done.&lt;/p>
&lt;h2 class="relative group">What Comes Next
&lt;div id="what-comes-next" class="anchor">&lt;/div>
&lt;span
class="absolute top-0 w-6 transition-opacity opacity-0 ltr:-left-6 rtl:-right-6 not-prose group-hover:opacity-100 select-none">
&lt;a class="group-hover:text-primary-300 dark:group-hover:text-neutral-700 !no-underline" href="#what-comes-next" aria-label="Anchor">#&lt;/a>
&lt;/span>
&lt;/h2>
&lt;p>In &lt;em>&lt;strong>the final part of this series&lt;/strong>&lt;/em>, we&amp;rsquo;re going to zoom out from technical controls and talk about the hardest part of AI security: culture.&lt;/p>
&lt;p>Because here&amp;rsquo;s the thing: you can implement every technical control in this series (prompt isolation, AI firewalls, supply chain verification, monitoring) and still get breached if your organization&amp;rsquo;s culture doesn&amp;rsquo;t take AI security seriously.&lt;/p>
&lt;p>The final piece isn&amp;rsquo;t about tools or architecture. It&amp;rsquo;s about building teams that think about security by default, that balance innovation with responsibility, and that can respond effectively when things go wrong. Because in AI security, it&amp;rsquo;s not if things go wrong; it&amp;rsquo;s when.&lt;/p></content:encoded><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://pinishv.com/articles/securing-the-ai-supply-chain/feature.png"/></item></channel></rss>