{"id":106288,"date":"2026-01-06T07:00:00","date_gmt":"2026-01-06T05:00:00","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=zero-post&#038;p=106288"},"modified":"2026-02-27T20:38:23","modified_gmt":"2026-02-27T18:38:23","slug":"hugs-from-strangers-ai-model-confusion-supply-chain-attack","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/","title":{"rendered":"AI Model Confusion: An LLM\/AI Model Supply Chain Attack"},"content":{"rendered":"<style type=\"text\/css\">@import url(\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/styles\/vs2015.min.css\");@font-face{font-family:'Hack';src:url('https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/hack-font\/3.3.0\/web\/fonts\/hack-regular-subset.woff2') format('woff2')}:root{--code-font:'Hack','Menlo','Consolas',monospace !important;--code-bg:#1e1e1e;--code-color:#0c1;--code-dim:#071;--text-color:#121185;--highlight-color:#f8ff91;--highlight-color-alt:#736ca0}article.content{max-width:100% !important;min-width:80% !important;width:99% !important}.wp-block-code code{text-wrap:nowrap !important}figure{margin-top:1.5rem;margin-bottom:1.5rem}p.caption,figcaption{font-size:1rem !important;font-style:italic !important;color:var(--code-dim) !important}p.caption *,figcaption *{font-size:inherit !important}div.callout{max-width:80% !important;padding-top:.5rem;padding-bottom:.5rem;margin-top:1rem;margin-bottom:1rem;display:block;margin-left:10%;border-top:.3rem solid #121185;border-bottom:.3rem solid #121185}div.callout p{font-size:x-large;text-align:left;font-weight:bold}.cxzero-video-include{display:block;max-width:1920px;width:100%;padding-top:1rem;padding-bottom:1rem}.cxzero-video-include video{display:block;padding:.5rem;background-color:var(--code-bg);width:98%;object-fit:cover}pre.wp-block-code,pre.highlighted-code,pre.sourceCode,pre{border:1px solid var(--code-color);width:90%;background-color:var(--code-bg);color:var(--code-color);margin:1em;padding:2em;overflow-x:scroll;font-family:var(--code-font);font-size:10.5pt;line-height:1.1em;text-wrap:nowrap !important;box-shadow:5px 5px 13px 0 var(--code-bg)}* kbd,* code,* tt{font-family:var(--code-font);padding-inline:.5em;color:var(--code-dim);font-size:85%}pre code{color:var(--code-color);font-size:90%}pre.highlighted-code span{font-family:var(--code-font);font-size:10.5pt;color:var(--code-color)}pre.highlighted-code span.comment{font-style:italic;color:var(--code-dim)}pre.highlighted-code span.keyword,pre.highlighted-code span.preproc{font-weight:bold;font-style:oblique}blockquote,blockquote *{font-size:1.375rem !important;font-style:italic !important}blockquote{border-left:.1rem solid;padding-left:1rem}mark,mark *{background-color:var(--highlight-color) !important}mark.ai-content,mark.ai-content *{background-color:var(--highlight-color-alt) !important;color:#fff !important}.cxzero-cve-block{border:1px solid var(--code-color,#0c1);padding:.5rem;p{padding:0;margin:0}span.vulndesc{display:block;font-size:.9rem;font-weight:400;font-style:italic}span.cvss::before{content:\"  \"}span.cvss{background:#fe0}span.cvss.critical{background:#c00;color:#eee}span.cvss.high{background:#ffac1c;color:#0015ff}span.vector::before{content:\"\u25b8\"}span.vector,span.vector *{overflow-wrap:break-word;font-family:var(--code-font);font-size:10pt}.kev{display:block;font-weight:bold}.kev::before{content:\"\u203c\ufe0f\"}}.print-source-info{display:none}@media print{.header,.header *,.article-nav,.article-nav *,.aticle-nav,.aticle-nav *,.section_latest,.section-latest *,footer,footer *,.section-menu-page,.section-menu-page *,.top-menu,.top-menu *,.top-menu__container,.top-menu__container *,.section-zero-article,.section-zero-article *{display:none}@page{margin:13mm !important}.section-aticle-header__image-or-video{max-width:125mm}.print-source-info{display:block;border-left:.2rem solid #000;font-style:italic !important;font-size:85%;padding-left:1rem}}<\/style> <script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/highlight.min.js\" integrity=\"sha512-EBLzUL8XLl+va\/zAsmXwS7Z2B1F9HUHkZwyS\/VKwh3S7T\/U0nF4BaU29EP\/ZSf6zgiIxYAnKLu6bJ8dqpmX5uw==\" crossorigin=\"anonymous\" referrerpolicy=\"no-referrer\"><\/script> <script>hljs.highlightAll();<\/script> \n\n\n\n<p class=\"print-source-info\"><script>document.write(\"Copyright Checkmarx, all rights reserved. Retrieved \"+new Date().toLocaleDateString()+\" from<br\/>\"+window.location.href);<\/script><noscript>This document copyright Checkmarx, all rights reserved.<\/noscript><\/p>\n\n\n\n<p>Recently, our team conducted an in-depth analysis of supply chain security with a focus on the AI ecosystem. During this investigation, we uncovered a new supply-chain attack vector that can compromise code that insecurely loads local models.<\/p>\n\n\n\n<p>Today, we\u2019re introducing this new supply-chain attack against registries of LLMs and other AI models: we formally call it <strong>Model Confusion<\/strong>. But we like to think of it as &#8220;unwanted hugs from strangers&#8221;.<\/p>\n\n\n\n<p style=\"border: 0.1rem solid var(--Text-on-light-Primary, #121185); border-radius: 0 1.2rem 1.2rem; padding: 1.2rem;\"><em>See also our prior research on risks to be aware of from Hugging Face, in our <strong>&#8220;Free Hugs&#8221; series<\/strong>: start with <a href=\"\/blog\/free-hugs-what-to-be-wary-of-in-hugging-face-part-1\/\">Part 1 on our blog<\/a><\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"introduction\">Avoiding Hugs From Strangers: AI Model Confusion<\/h2>\n\n\n\n<p><strong>Model Confusion<\/strong>&nbsp;resembles the well-known&nbsp;<a href=\"https:\/\/medium.com\/@alex.birsan\/dependency-confusion-how-i-hacked-into-apple-microsoft-and-dozens-of-other-companies-4a5d60fec610\"><strong><u>Dependency Confusion<\/u><\/strong><\/a>&nbsp;attack in software development. For context, dependency confusion occurs when a project references a local package that may not exist on the developer\u2019s machine. If the package is missing locally but exists in a public package registry, the package manager may automatically download the remote version. This creates an opportunity for attackers to publish malicious packages with the same name as internal dependencies, potentially targeting organizational developers.<\/p>\n\n\n\n<p>Model Confusion operates similarly but affects AI models rather than software packages. The implications are significant, as mistakenly downloading a malicious model could lead to severe security risks, including remote code execution (RCE) or the usage of compromised models.<\/p>\n\n\n\n<p><strong><em>Nothing here is hypothetical \u2014 we\u2019ve already found popular open\u2011source code samples from top tech firms that could execute malicious code if run as\u2011is.<\/em><\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"the-discovery\">The Discovery<\/h2>\n\n\n\n<p>It all started with this line:<\/p>\n\n\n\n<blockquote>\n<p><em>To get a pretrained model, you need to load the weights into the model. This is done by calling&nbsp;<a href=\"https:\/\/huggingface.co\/docs\/transformers\/v4.57.1\/en\/main_classes\/model#transformers.PreTrainedModel.from_pretrained\"><u>from_pretrained()<\/u><\/a>&nbsp;which accepts weights from the&nbsp;<strong><u>Hugging Face Hub<\/u><\/strong>&nbsp;or a&nbsp;<strong><u>local directory<\/u><\/strong>.<\/em><\/p>\n\n\n\n<p>\u2013&nbsp;<a href=\"https:\/\/huggingface.co\/docs\/transformers\/en\/models#model-classes\"><strong><u>Hugging Face Documentation<\/u><\/strong><\/a><\/p>\n<\/blockquote>\n\n\n\n<p>Do you smell&nbsp;<em>dependency confusion<\/em>&nbsp;creeping in here, like we did?<\/p>\n\n\n\n<p>Before we dive into how to identify and mitigate Model Confusion in your codebase, let\u2019s see that in action:<\/p>\n\n\n\n<div class=\"cxzero-video-include\">\n<video muted controls controlslist=\"nodownload noremoteplayback\">\n<source src=\"\/wp-content\/uploads\/2026\/01\/ai-model_confusion_mini_demo-redacted.mp4\" type=\"video\/mp4\">\n<p><em>Your browser cannot display this video content<\/em><\/p>\n<\/video>\n<p class=\"caption\">Miniature demo &#8211; some details redacted due to contract obligations<\/p>\n<\/div>\n\n\n\n<p>On the other hand, if this model exists locally, you can see no calc is spawned, and the local model is the one to get executed:<\/p>\n\n\n\n<div class=\"cxzero-video-include\">\n<video muted controls controlslist=\"nodownload noremoteplayback\">\n<source src=\"\/wp-content\/uploads\/2026\/01\/ai-model_confusion_complete-demo.mp4\" type=\"video\/mp4\">\n<p><em>Your browser cannot display this video content<\/em><\/p>\n<\/video>\n<p class=\"caption\">Complete demo &#8211; some details redacted due to contract obligations<\/p>\n<\/div>\n\n\n\n<p>This demo shows how an official code sample (from one of the Fortune 500 companies) led to Remote Code Execution via Model Confusion. We\u2019ve reported the issue to them, and they resolved it within a single day.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"technical-analysis\">Technical Analysis<\/h2>\n\n\n\n<p>Similar to Dependency Confusion, the core challenge in this supply-chain attack is identifying which local packages to target to maximize the likelihood that victims will take the bait. However, Model Confusion relies on different discovery and exploitation techniques. While we developed several internal methods for identifying sensitive names, we won\u2019t disclose them to avoid enabling malicious use. What we can say is that Model Confusion is effective because users often store local models in predictable, easy-to-guess directories.<\/p>\n\n\n\n<p>Later, when the code is shared with other developers, either privately or via open-source projects, and the expected local models are missing, anyone who downloads and runs the code may inadvertently load a&nbsp;<strong>malicious remote model<\/strong>&nbsp;instead of the intended local one.<br>Organizations should proactively secure predictable identifiers, as failure to do so can allow threat actors to exploit naming ambiguity and mislead users.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"prerequisits\">Prerequisites<\/h3>\n\n\n\n<p>During the research, we\u2019ve also gathered some prerequisites that must be met for the attack to be possible, and while this might look like a long list, in practice, they can be found quite easily in the wild:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>The expected local model is missing from the victim\u2019s machine or is in a different path.<\/li>\n\n\n\n<li>The model path does not start with&nbsp;<code>.\/<\/code>&nbsp;or&nbsp;<code>\/<\/code>&nbsp;(those imply local-only access), and it does not contain HF-username-restricted characters.<\/li>\n\n\n\n<li>The path has exactly two components (for example:&nbsp;<code>checkpoints\/model-name<\/code>).<\/li>\n\n\n\n<li>The parameter&nbsp;<code>local_files_only<\/code>&nbsp;is not explicitly set to&nbsp;<code>True<\/code>.<\/li>\n\n\n\n<li>The attacker owns the username matching the sensitive directory name.<\/li>\n\n\n\n<li>While not a \u201creal\u201d prerequisite for this attack, the parameter&nbsp;<code>trust_remote_code<\/code>&nbsp;determines whether the code is vulnerable to RCE (when set to&nbsp;<code>True<\/code>) or to a compromised model (when set to&nbsp;<code>False<\/code>&nbsp;or not set).<\/li>\n<\/ol>\n\n\n\n<p>Not to say this is the entire list, but we believe it\u2019s comprehensive enough and provides a good indication of whether you need to act and how quickly.<\/p>\n\n\n\n<p>To make these prerequisites easier to understand, let\u2019s look at a few practical code examples:<\/p>\n\n\n\n<p><strong>Note:<\/strong>&nbsp;These code samples assume that an attacker has claimed the checkpoints username and uploaded a malicious model named some-model, and that the appropriate local model doesn\u2019t exist on the victim\u2019s machine.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"language-python\">from transformers import AutoTokenizer\n\n# --- Vulnerable below ---\n\n# Example 1 - Vulnerable to RCE (`trust_remote_code` is set to `True`)\ntokenizer = AutoTokenizer.from_pretrained(\"checkpoints\/some-model\", trust_remote_code=True)\n\n# Example 2 - Vulnerable to the usage of a compromised model\n# same code as the first example, without setting `trust_remote_code` to `True`\ntokenizer = AutoTokenizer.from_pretrained(\"checkpoints\/some-model\")\n\n\n# --- Safe below ---\n\n# Example 3 - violates prerequisites #2\n# The \".\/\" prefix enforces local directory only\ntokenizer = AutoTokenizer.from_pretrained(\".\/checkpoints\/some-model\", trust_remote_code=True)\n\n# Example 4 - violates prerequisites #3\n# There are more than two components in the path, resulting in an invalid HF username\ntokenizer = AutoTokenizer.from_pretrained(\"another-directory\/checkpoints\/some-model\", trust_remote_code=True)\n\n# Example 5 - violates prerequisites #4\n# `local_files_only` is set to `True`, preventing Model Confusion\ntokenizer = AutoTokenizer.from_pretrained(\"checkpoints\/some-model\", local_files_only=True, trust_remote_code=True)<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"particularly-interesting-directoriesnamespaces\">Particularly Interesting Directories\/Namespaces<\/h3>\n\n\n\n<p>To protect the community during our research, we captured several usernames that could have been used for exploitation and reported them to Hugging Face. This triggered a brief security lockout on our end:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"379\" height=\"250\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/ai-model_confusion-figure1.webp\" alt=\"Screenshot of a Hugging Face login error message displayed in a light red alert box. The message reads: \u201cThe Hugging Face account associated with user \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 has been locked out following the violation of our Terms of Service. If you think this is mistake, you can contact safety@huggingface.co.\u201d Below the message is a white button labeled \u201cLogin\u201d. Beneath the button is a link that reads \u201cForgot your password?\u201d  \" class=\"wp-image-106291\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/ai-model_confusion-figure1.webp 379w, https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/ai-model_confusion-figure1-300x198.webp 300w\" sizes=\"(max-width: 379px) 100vw, 379px\" \/><figcaption class=\"wp-element-caption\">Directory lockout message<\/figcaption><\/figure>\n\n\n\n<p>We guess it\u2019s true that no good deed goes unpunished. (Luckily, the HF team has since restored our account.)<\/p>\n\n\n\n<p>Anyway, let\u2019s take a look at one particularly interesting case &#8211; the checkpoints directory. This directory is commonly used for saving checkpoints, which are fine-tuned models. We found out that this username was available for registration at the time. But rest assured, we\u2019ve captured this username (among others) to prevent malicious actors from exploiting it.<\/p>\n\n\n\n<p>In fact, the recorded demo demonstrates how Model Confusion can be exploited by utilizing the checkpoints directory. The sample looks for a fine\u2011tuned model in the checkpoints folder, but the repository does not include that file.<\/p>\n\n\n\n<p>Suppose an attacker controls the checkpoints username and uploads a model containing malicious Python code to it. In that case, anyone running the sample will actually download that malicious model and be vulnerable to a Remote Code Execution (RCE) because of the <code>trust_remote_code=True<\/code>.<\/p>\n\n\n\n<p>However, this directory is not the only one that should be considered \u201csensitive\u201d.<br>Additional examples we found in the wild:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>checkpoints\n<ul class=\"wp-block-list\">\n<li>Discovered in real-world code from a Fortune 500 company.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>outputs\n<ul class=\"wp-block-list\">\n<li>Discovered in real-world code from a Fortune 100 company.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>models-tmp, results, ckpts, and more.<\/li>\n<\/ul>\n\n\n\n<p>However, unfortunately, it\u2019s impossible to catch them all. Some users have already claimed some sensitive names before we discovered this attack vector. Even though we haven\u2019t found any malicious activity yet and cannot determine the real intentions behind these usernames, it\u2019s still helpful to highlight some examples that may require attention:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>namespace &#8211; Used by the huggingface_hub library (<a href=\"https:\/\/github.com\/huggingface\/huggingface_hub\/blob\/main\/tests\/test_hub_mixin_pytorch.py#L192\">1<\/a>,&nbsp;<a href=\"https:\/\/github.com\/huggingface\/huggingface_hub\/blob\/main\/tests\/test_hub_mixin_pytorch.py#L205\">2<\/a>,&nbsp;<a href=\"https:\/\/github.com\/huggingface\/huggingface_hub\/blob\/main\/tests\/test_hub_mixin_pytorch.py#L232\">3<\/a>), which&nbsp;<a href=\"https:\/\/huggingface.co\/namespace\">this user<\/a>&nbsp;captured.<\/li>\n\n\n\n<li>pretrained &#8211; used by&nbsp;<a href=\"https:\/\/github.com\/open-mmlab\/Amphion\/blob\/main\/evaluation\/metrics\/similarity\/speaker_similarity.py#L115\"><u>open-mmlab\/Amphion<\/u><\/a>&nbsp;and captured by&nbsp;<a href=\"https:\/\/huggingface.co\/PreTrained\"><u>this user<\/u><\/a>\n<\/li>\n\n\n\n<li>Among others: output, result, tmp, checkpoint, etc.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"am-i-vulnerable\">Am I vulnerable?<\/h2>\n\n\n\n<p>To know if you\u2019re vulnerable, first check if all your models that are accessed with the format&nbsp;<code>&lt;single_dir_OR_organization&gt;\/&lt;model_name&gt;<\/code>&nbsp;originate from a remote organization&nbsp;<strong>you trust<\/strong>.<\/p>\n\n\n\n<p>If not, either of the following options means you need to take active actions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The username exists on Hugging Face, but you don\u2019t recognize it or do not trust it<\/li>\n\n\n\n<li>An organization with the same name as the directory doesn\u2019t exist<\/li>\n<\/ul>\n\n\n\n<p><em>Note: As mentioned in the prerequisites section, HF restricts certain special characters in usernames. If your directory name contains those characters (e.g., underscore), you\u2019re probably safe for now. However, this may change in the future; therefore, we highly recommend not relying on this as a prevention mechanism and applying the following mitigations in these cases as well.<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"mitigations\">Mitigations<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you know the models are only supposed to be loaded from the local directory, you can use one of those options:\n<ul class=\"wp-block-list\">\n<li>Set the <code>HF_HUB_OFFLINE=1<\/code> environment variable, which applies globally.<\/li>\n\n\n\n<li>Set the <code>local_files_only<\/code> flag to <code>True<\/code> in the code, which applies at the code level.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Another alternative is to use the absolute path to the model, thus eliminating the risk of using remote models. Or if a relative path is required, you can prepend it with a <code>.\/<\/code> or <code>..\/<\/code> (for example, <code>.\/dir-name\/model-name<\/code>) to enforce a local path.<\/li>\n\n\n\n<li>For a more robust security posture, the Hugging Face security team recommends that large organizations&nbsp;<a href=\"https:\/\/huggingface.co\/enterprise\">subscribe to Enterprise Hub<\/a>&nbsp;and configure an allowlist of approved models that users can download.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"disclosure-timeline\">Disclosure Timeline<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"hugging-face\">Hugging Face<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>First report &#8211; 22 Oct 2025<\/li>\n\n\n\n<li>Thanks to the Hugging Face security team for adding a couple of additional possible mitigations<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"amphion\">Amphion<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>First Report &#8211; 08 Dec 2025<\/li>\n<\/ul>\n\n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>Checkmarx Zero research reveals the AI Model Confusion attack pattern against registries like Hugging Face, building on Dependency Confusion in OSS library registry. Learn what it is and how to defend yourself.<\/p>\n","protected":false},"author":121,"featured_media":106293,"template":"","zero-category":[1067,1176,1104],"zero-tag":[1097,1082,1477,1475,1476,1391,1474,1113,1071],"class_list":["post-106288","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-blog","zero-category-security-blogs","zero-category-technical-blog","zero-tag-ai","zero-tag-ai-security","zero-tag-ai-supply-chain","zero-tag-dependency-confusion","zero-tag-hugging-face","zero-tag-llm","zero-tag-model-confusion","zero-tag-open-source-supply-chain","zero-tag-supply-chain-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>AI Model Confusion: An LLM\/AI Model Supply Chain Attack - Checkmarx<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"AI Model Confusion: An LLM\/AI Model Supply Chain Attack - Checkmarx\" \/>\n<meta property=\"og:description\" content=\"Checkmarx Zero research reveals the AI Model Confusion attack pattern against registries like Hugging Face, building on Dependency Confusion in OSS library registry. Learn what it is and how to defend yourself.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-27T18:38:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/ai-model_confusion-feature.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/\",\"url\":\"https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/\",\"name\":\"AI Model Confusion: An LLM\/AI Model Supply Chain Attack - Checkmarx\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/ai-model_confusion-feature.webp\",\"datePublished\":\"2026-01-06T05:00:00+00:00\",\"dateModified\":\"2026-02-27T18:38:23+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/ai-model_confusion-feature.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/ai-model_confusion-feature.webp\",\"width\":2560,\"height\":1280,\"caption\":\"A robot wearing the HuggingFace logo is trying to hug a male developer. The developer is reacting in horror.\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"AI Model Confusion: An LLM\/AI Model Supply Chain Attack - Checkmarx","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/","og_locale":"en_US","og_type":"article","og_title":"AI Model Confusion: An LLM\/AI Model Supply Chain Attack - Checkmarx","og_description":"Checkmarx Zero research reveals the AI Model Confusion attack pattern against registries like Hugging Face, building on Dependency Confusion in OSS library registry. Learn what it is and how to defend yourself.","og_url":"https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2026-02-27T18:38:23+00:00","og_image":[{"width":2560,"height":1280,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/ai-model_confusion-feature.webp","type":"image\/webp"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/","url":"https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/","name":"AI Model Confusion: An LLM\/AI Model Supply Chain Attack - Checkmarx","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/ai-model_confusion-feature.webp","datePublished":"2026-01-06T05:00:00+00:00","dateModified":"2026-02-27T18:38:23+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/zero-post\/hugs-from-strangers-ai-model-confusion-supply-chain-attack\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/ai-model_confusion-feature.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/01\/ai-model_confusion-feature.webp","width":2560,"height":1280,"caption":"A robot wearing the HuggingFace logo is trying to hug a male developer. The developer is reacting in horror."},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/106288","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/121"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/106293"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=106288"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=106288"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=106288"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}