Poisoning model in fake Alibaba SDK shows challenges to secure AI supply chain
The attack activity discovered by ReversingLabs involves three packages: aliyun-ai-labs-snippets-sdk,,,,, ai-labs-snippets-sdkand aliyun-ai-labs-sdk. The three packages were downloaded 1,600 times together, which is important because they were found less than a day before they were knocked out online.
Developers’ computers are valuable targets because they often contain various credentials, API tokens, and other access keys to a variety of cloud and on-premises infrastructure services. Compromising such computers can easily lead to lateral movement to other parts of the environment.
The malicious SDK uploaded to PYPI passes __init__.py script. These models then execute base64 obfuscated code, designed to steal information about logged in users, network addresses of infected computers, organization names of the machines belong to, and .gitconfig document.
