DARR
MR-018 Third party & supply chain Both scope

AI supply-chain and infrastructure vulnerabilities

Vulnerabilities in AI frameworks, dependencies, hardware, or reused third-party/foundation models propagate risk to the deployed system.

Risk family
Third party & supply chain
MIT domain
2. Privacy & Security
MIT subdomain
2.2 > AI system security vulnerabilities and attacks
AI type
GPAI, Classical_ML, Agentic
Scope
Both
Source standard
MIT AI Risk Repository v4

Provenance

Source standard
MIT AI Risk Repository v4
Source frameworks
Cui2024, NIST2024, Sharma2024, TC2602024, Uuk2025
ISO/IEC references
23894 obj A.11; src 9, 10; mech B.6 | 42001 ctrl A.10.3, A.4.4
GPAI Code of Practice
S&S Ch. Commitment 6

Framework crosswalk

Every framework item mapped to this risk. Items marked partial overlap only in part; definitions appear on hover where the source licence permits.

Sourcesframeworks that contributed to the register
ISO 238941
  • A.11 ISO/IEC 23894 Annex A A.11
ISO 420012
  • A.10.3 ISO/IEC 42001 Annex A A.10.3
  • A.4.4 ISO/IEC 42001 Annex A A.4.4
EU AI Act1
  • CoP S&S Ch. Commitment 6
MITRE ATLAS14

Expanded into this risk’s technique sub-risks.

Cross-checksframeworks mapped in to test coverage
Cisco3
  • AISubtech-9.3.1 Malicious Package / Tool Injection
  • AISubtech-9.3.2 Dependency Name Squatting (Tools / Servers)
  • AISubtech-9.3.3 Dependency Replacement / Rug Pull
NIST AML2
  • NISTAML.05 Supply Chain Attacks
  • NISTAML.051 Model Poisoning (supply chain)
NIST GenAI2
  • GENAI.12 Value Chain and Component Integration
  • GENAI.9 Information Security
OWASP LLM1
  • LLM03:2025 Supply Chain
OWASP Agentic1
  • ASI04 Agentic Supply Chain Vulnerabilities

Sub-risks (8)

Technique-level decompositions of this risk, each anchored to the MITRE ATLAS technique it derives from.

MR-018.1

AI supply-chain compromise

#

A compromised model, dataset, library, or hardware component enters the system through the supply chain.

MITRE ATLAS technique: AML.T0010 AI Supply Chain Compromise
MR-018.2

Poisoned models published to registries

#

A backdoored or poisoned model is published to a public registry to be adopted by victims.

MITRE ATLAS technique: AML.T0058 Publish Poisoned Models
MR-018.3

Hallucinated-entity (slopsquatting) supply-chain attack

#

Adversaries register packages or resources matching names the model commonly hallucinates, so its recommendations deliver malicious artifacts.

MITRE ATLAS technique: AML.T0060 Publish Hallucinated Entities
MR-018.4

Masquerading of malicious AI artifacts

#

Malicious models or files are disguised to appear legitimate and trusted.

MITRE ATLAS technique: AML.T0074 Masquerading
MR-018.5

Corrupted model file evading scanning

#

A malicious model file is deliberately corrupted so security scanners cannot inspect it.

MITRE ATLAS technique: AML.T0076 Corrupt AI Model
MR-018.6

Poisoned AI agent tools published

#

Malicious agent tools are published for adoption, carrying hidden harmful behavior.

MITRE ATLAS technique: AML.T0104 Publish Poisoned AI Agent Tool
MR-018.7

AI supply-chain rug pull

#

A genuinely useful AI component gains adoption, then a later update turns malicious.

MITRE ATLAS technique: AML.T0109 AI Supply Chain Rug Pull
MR-018.8

AI supply-chain reputation inflation

#

Adversaries inflate the apparent trustworthiness of malicious AI components to drive adoption.

MITRE ATLAS technique: AML.T0111 AI Supply Chain Reputation Inflation

More in Third party & supply chain

Part of the Deployer AI Risk Register, an open-source resource developed by MindXO. Version 1.0, 3 July 2026. Derived from the MIT AI Risk Repository (V4, December 2025) under CC BY 4.0; an independent derivative work, not endorsed by or affiliated with MIT. Sub-risk decomposition references MITRE ATLAS™ v5.6.0 (© 2021-2026 The MITRE Corporation, reproduced and distributed with permission). ISO/IEC and EU AI Act references are by number only. License: CC BY 4.0. Full attribution and licensing.