Supply-Chain Attacks in Machine Learning Frameworks

Yue Gao, Ilia Shumailov, Kassem Fawaz

Conference on Machine Learning and Systems 2025 · Day 4 · Session 12: Edge and Cloud Systems

This talk, presented by Yue Gao, Ilia Shumailov, and Kassem Fawaz at MLSys 2025, delves into the critical and rapidly escalating issue of supply chain attacks within the machine learning ecosystem. The speakers highlight how the increasing complexity and reliance on open-source software in ML frameworks create a unique and significantly larger attack surface compared to traditional software. They argue that existing safeguards, while robust for conventional software, are often insufficient to protect against sophisticated attacks targeting both the software and machine learning layers. The core of their work identifies a novel class of supply chain attacks that exploit the dynamic nature of Python's runtime to bypass current defenses, injecting vulnerabilities or disabling protective measures in ML models and pipelines.

AI review

Gao, Shumailov, and Fawaz present a real and underappreciated threat — Python's dynamic runtime as an enabler for ML-layer supply chain attacks — with a couple of concrete, reproducible examples (interpolation mode switching, SoftMax margin inflation) that genuinely illustrate the attack class. The dependency measurement and GitHub LLM analysis are interesting supporting data. But the talk stops short of what would make it essential: no working proof-of-concept code, no formal threat model, no detection tooling, and the 'fix' section reads like a security awareness poster rather than an…