AI Supply Chain Security: From SBOM to AIBOM, Slopsquatting and Model Poisoning
AI supply chain security explained: slopsquatting, model poisoning, NullifAI and ShaiHulud, from SBOM to AIBOM and the defenses that work in 2026.
Key takeaways: AI supply chain security 4
The new attack classes the AI supply chain adds on top of classic dependency risk, and the defenses that work against each.
- Three structural changes, not one A new chooser (AI-recommended packages), a new artifact (executable model files) and a new tempo (self-propagating worms).
- Slopsquatting exploits predictable hallucinations 19.7% of AI-recommended packages did not exist in the arXiv 2406.10279 study, and 43% of hallucinated names recurred across all 10 re-runs.
- Model files can carry malware The NullifAI case showed poisoned PyTorch models on Hugging Face evading the Picklescan check.
- AIBOM extends SBOM discipline to AI Inventory models, datasets, weights and AI tooling with provenance so a disclosure is a lookup, not an investigation.
Software supply chain security used to mean vetting the packages your developers chose. In 2026 your developers are not the only ones choosing. Coding assistants suggest dependencies, agents install them, model hubs distribute executable artifacts and the malware ecosystem has adapted to every one of those channels. This article maps the new vocabulary, slopsquatting, model poisoning, AIBOM, to real incidents with dates, then lays out the defenses that work.
In short: the AI supply chain adds new attack classes on top of classic dependency risk: slopsquatting exploits hallucinated package names that AI assistants recommend, model poisoning hides malware inside model files and self-replicating worms like ShaiHulud 2.0 spread through package registries at ecosystem scale. Research indexed as arXiv 2406.10279 found 19.7% of AI-recommended packages did not exist at all. The emerging answer is extending the SBOM discipline to an AIBOM that inventories models, datasets and AI tooling.
Why the AI supply chain is different

Three structural changes separate the AI-era supply chain from the classic one:
- A new chooser. LLMs recommend packages, and they hallucinate names with unsettling consistency. Anything a model reliably invents, an attacker can register.
- A new artifact. Models are executable content. Serialization formats like Python’s Pickle can carry code, so “downloading a model” can mean “running an attacker’s payload”.
- A new tempo. Worm-style campaigns now propagate through registries automatically, compromising hundreds of packages faster than manual review cycles can react.
Each change has already produced named incidents. The table below is the working vocabulary.
The threat vocabulary, with receipts
| Term | Definition | Real example |
|---|---|---|
| Slopsquatting | Registering package names that AI assistants hallucinate, so developers who trust the suggestion install malware | Research indexed as arXiv 2406.10279 found 19.7% of AI-recommended packages did not exist, spanning 205,474 unique hallucinated names; 43% of hallucinations reappeared in all 10 identical re-runs. Term coined by the Python Software Foundation’s Seth Larson (source: CSA research note, Apr 19 2026) |
| Model poisoning | Embedding malicious payloads inside model files so loading the model executes attacker code | NullifAI – ReversingLabs researchers found two PyTorch models on Hugging Face carrying malicious Pickle payloads that evaded the Picklescan security check using 7z compression and a deliberately broken Pickle stream (source: reversinglabs.com) |
| Registry worm | Self-replicating malware that uses stolen maintainer credentials to publish itself into ever more packages | ShaiHulud 2.0 – a self-replicating npm campaign that compromised 796+ packages with 20M+ combined weekly downloads and exfiltrated roughly 14,000 secrets across 487 organizations (source: orca.security) |
| Token-theft pipeline attack | Compromising CI/CD or security tooling to steal publishing credentials for downstream package takeover | The March 24 2026 LiteLLM incident, where PyPI tokens stolen via a compromised Trivy scanner were used to publish backdoored releases of a package with ~95M monthly downloads (source: blog.pypi.org incident report, Apr 2 2026) |
| AIBOM | An AI bill of materials – an SBOM extended to inventory models, datasets, weights and AI tooling with their provenance | The OWASP GenAI Security Project runs an official AIBOM Generator (AI-SBOM) initiative to standardize the format (source: genai.owasp.org) |
Slopsquatting: when the hallucination is the exploit
The mechanics deserve a closer look because they invert the usual typosquatting economics. A typosquatter guesses what humans mistype. A slopsquatter measures what models invent, and models are far more predictable than fingers: in the arXiv 2406.10279 study, 43% of hallucinated package names reappeared on all 10 identical re-runs and 58% recurred more than once (source: contrastsecurity.com). That repeatability means an attacker can harvest a model’s favorite fictional packages, register them on PyPI or npm and wait for AI-assisted developers to install them.
The defense is procedural, not heroic: every AI-suggested dependency gets verified against the registry, age, maintainers, download history, repository link, before installation, and lockfiles ensure nothing new arrives silently. Teams using coding agents should route installs through an internal proxy registry with an allowlist, so a hallucinated name resolves to nothing rather than to malware.
Model poisoning: the model file as payload
The NullifAI case documented by ReversingLabs shows how thin the protective layer on model hubs can be. Two PyTorch models hosted on Hugging Face carried malicious Pickle payloads, and they evaded Picklescan, the hub’s own detection, by packing the archive with 7z and corrupting the Pickle stream just enough to break the scanner while still executing on load (source: reversinglabs.com).
Practical implications for any team pulling models from public hubs:
- Prefer safetensors or other non-executable serialization formats wherever the ecosystem allows
- Treat model loading like running unreviewed code: load in a sandboxed environment with no credentials and restricted egress on first use
- Pin models by content hash, not by name or “latest” tag
- Record every model, its source and its hash in your AIBOM so an upstream disclosure is a lookup, not an investigation
Worms and token theft: velocity as the weapon
ShaiHulud 2.0 demonstrated what automation does to registry compromise: 796+ npm packages, 20M+ weekly downloads in aggregate and roughly 14,000 secrets stolen across 487 organizations (source: orca.security). Each infected package stole maintainer credentials and used them to infect more packages, a propagation loop with no human in it. The LiteLLM token-theft attack of March 2026 made the complementary point: compromising the tooling around packages, including security scanners themselves, yields publishing credentials for high-value targets.
Against automated propagation, the effective controls are the boring ones applied strictly: pinned versions with a 48-72 hour soak delay before adopting new releases, scoped short-lived publishing tokens, mandatory 2FA for maintainers and CI systems that cannot read more secrets than the job needs.
From SBOM to AIBOM
An SBOM answers “what software are we running”. An AIBOM extends the question to “what models, weights, datasets and AI tooling are we running, and where did each come from”. The OWASP GenAI Security Project maintains an official AIBOM Generator initiative to give the format standard tooling (source: genai.owasp.org), and the direction of travel is clear: procurement and compliance reviews are beginning to ask for AI inventories the way they ask for SBOMs today, a natural extension of the AI governance programs many organizations already run.
A minimal useful AIBOM records for every AI component: name and version or hash, source and license, provenance chain (who trained or fine-tuned it, on what), the serialization format and the last security review date. Teams that had an SBOM discipline before Log4Shell answered “are we affected” in minutes; an AIBOM buys the same minutes for the NullifAI-class disclosures that 2026 keeps producing, one of the higher-value additions to the state of application security in 2026.
How Pharos Production helps secure the AI supply chain
The AI supply chain did not replace the classic one, it stacked new attack classes on top of it, each with a 2025-2026 incident to its name. The defenses are knowable: verify what AI suggests, sandbox what you load, pin what you depend on, delay what just shipped and inventory all of it in an AIBOM. What most teams lack is not the playbook but the time to run it. If you want your AI dependency chain audited, packages, models, registries, CI tokens and the AIBOM to govern them, our security team does this as a scoped engagement through our cybersecurity services and security audits.
Sources: research indexed as arXiv 2406.10279; ReversingLabs (reversinglabs.com); Orca Security (orca.security); PyPI incident report, Apr 2 2026 (blog.pypi.org); OWASP GenAI Security Project (genai.owasp.org). Figures and dates are as published by the cited sources at the time of writing.
FAQ
Quick answers to common questions about custom software development, pricing, process and technology.
Type to filter questions and answers. Use Topic to narrow the list.
Showing all 3
No matches
Try a different keyword, change the topic, or clear filters
-
Slopsquatting is registering software package names that AI coding assistants hallucinate, so developers who install the suggested package get malware instead of a missing-package error. The term was coined by the Python Software Foundation’s Seth Larson.
Research indexed as arXiv 2406.10279 found 19.7% of AI-recommended packages did not exist, covering 205,474 unique hallucinated names, and 43% of those hallucinations recurred across all 10 identical re-runs, making them predictable targets for attackers.
-
An AIBOM (AI bill of materials) extends the SBOM concept to AI components: it inventories models, weights, datasets and AI tooling together with their sources, hashes and provenance, not just software packages. The OWASP GenAI Security Project runs an official AIBOM Generator initiative to standardize the practice.
The value is incident response speed, when a poisoned model or package is disclosed, an AIBOM turns “are we affected” into a lookup.
-
The NullifAI technique documented by ReversingLabs shows one route: malicious Pickle payloads inside PyTorch models on Hugging Face used 7z compression and a deliberately broken Pickle stream so the Picklescan checker failed to parse the file while the payload still executed on load. Defenses include preferring non-executable formats like safetensors, sandboxing first-time model loads and pinning models by content hash.
I work with startup founders who need a dedicated software development team but don’t want to gamble on hiring, random outsourcing, or opaque delivery.
Most founders face the same problem sooner or later.
Early technical and team decisions lock the product into tech debt, slow delivery, missed milestones and constant re-hiring. By the time this becomes visible, fixing it is already expensive.As a CTO and software architect, I help founders design, build and run dedicated development teams that work as a true extension of the startup. Not as a black-box vendor.
My focus is on complex products where mistakes are costly:
- Web3 and blockchain platforms
- FinTech and regulated products
- High-load startup systems
- MVP → scale transitions
We don’t do body-shopping.
We don’t sell generic outsourcing.Instead, we help founders:
- build the right team structure from day one
- keep technical ownership and transparency
- scale delivery without losing control
- avoid vendor lock-in and hidden risks
Teams are aligned with the product roadmap, business goals and long-term architecture. Not just short-term velocity.