Security researchers and industry reporting warn that open-weight AI models can be poisoned quickly and inexpensively, allowing attackers to implant hidden behaviors that survive normal inspection and may only activate under specific conditions. In one recent demonstration, researcher Katie Paxton-Fear fine-tuned an open model in about an hour for under $100, first changing coding style and then inserting a backdoor that produced remote-code-execution-vulnerable output after only ten training examples. Another experiment cited in reporting showed a compromised model in a drug-discovery workflow using a tool call to exfiltrate data, underscoring how model tampering can translate into downstream operational risk.
The findings align with earlier academic work on BadNets and more recent research on sleeper agents, which showed that deceptive or backdoored model behavior can persist through safety training. Broader AI supply-chain analysis says the risk extends beyond model weights to datasets, dependencies, serialization formats, and build infrastructure, with examples including the torchtriton dependency-confusion attack, exposed Hugging Face access tokens, more than 100 malicious Hugging Face models identified by JFrog, and the Ultralytics CI/CD compromise. The central concern for defenders is that AI artifacts often require deep trust while offering limited provenance and observability, making malicious manipulation harder to detect than traditional software tampering.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
David Kaplan of Origin conducted a similar experiment, creating a compromised model in a drug-discovery context that could exfiltrate data through a tool call. The work was cited as another example of AI model supply-chain poisoning risk.
Katie Paxton-Fear demonstrated that an open-weight model could be fine-tuned in about an hour for under $100 to introduce malicious behavior. Her experiments included changing coding style behavior and implanting a backdoor that produced remote-code-execution-vulnerable output after only ten training examples.
The paper "Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training" was published, presenting research on LLMs trained to retain hidden malicious behaviors even after safety tuning.
The paper "BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain" was published, documenting how machine learning models can be maliciously backdoored and still perform well on normal inputs.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
medium.com
Open sourcetheregister.com
Open sourcearxiv.org
Open sourcearxiv.org
Open sourcearxiv.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.