Protect your AI workloads from supply chain attacks
AI isn't coming; it's already here.
This shift happened in the blink of an eye. Organizations that spent 2024 skeptical of ChatGPT are today building AI-powered experiences to process vast amounts of data, automate complex workflows, and make faster decisions in competitive markets.
As organizations adopt AI, maintaining reliability and control is critical. Businesses have to deal with the accumulation of technical debt from deployed AI-generated code that hasn't been trained on team-specific coding standards. There’s architectural drift as AI components are retrofitted onto legacy systems, creating fragile dependencies and poorly documented integration points. AI adoption can cause infrastructure sprawl from proliferating AI tools and APIs, creating maintenance nightmares and operational complexity.
Existing challenges with building AI solutions
Complex dependency trees with bloated artifacts
Dependencies account for a significant portion of code in AI/ML solutions, creating unique architectural challenges that traditional software rarely faces. AI systems require a multi-layered technology stack encompassing data processing pipelines, model training frameworks (TensorFlow, PyTorch), hardware acceleration libraries (CUDA, cuDNN), model serving infrastructure, MLOps platforms for deployment and monitoring, with each layer expanding the attack surface for unremediated CVEs.
Available open source artifacts are typically designed to serve multiple use cases, resulting in bloated artifacts that accommodate broad functionality. This oversized footprint creates a dual burden: it multiplies security vulnerabilities while increasing storage and operational costs.
Chainguard Containers resolves these issues by offering minimal images for AI workloads that significantly reduce the attack surface. These images are backed by our industry-leading CVE remediation SLA, ensuring that you get near-zero CVEs. We offer images like:
Pytorch and Pytorch-FIPS
Ollama and Ollama-FIPS
For instance, our gpu-operator image delivers substantial improvements over the open source equivalent. At just 50 MB, it's roughly one-third the size of the upstream equivalent (170 MB), enabling faster deployments and reduced storage overhead.
Beyond efficiency gains, the security difference is even more striking. Chainguard’s gpu-operator maintains zero CVEs, while the open source equivalent carries approximately 700 CVEs. This dramatic reduction in vulnerabilities means fewer security patches, less maintenance overhead, and significantly lower risk exposure for production environments.
Independent AI agents compound malware risk
The convergence of AI agents and malware attacks creates a dangerous threat landscape for software supply chains. AI agents managing CI/CD pipelines introduce vulnerabilities through their autonomous decision-making. Unlike traditional automation that follows predefined rules, AI agents interpret instructions and make dependency choices based on training data that may not reflect security best practices. Meanwhile, conventional malware attacks exploit package repositories, build tools, and distribution channels that most agents leverage.
When these intersect, AI agents become unwitting distribution mechanisms for malware, automatically propagating compromised packages across dozens of services before security teams can respond.
Consider the typosquatting attacks targeting developers interested in DeepSeek and SymPy. In both incidents, attackers uploaded malicious packages to PyPI that mimicked popular libraries. Unsuspecting developers eager to try these trending tools downloaded malicious versions without verifying authenticity. The SymPy attackers went further, copying the legitimate project description verbatim to appear credible. AI coding agents are vulnerable to such attacks, as they automatically install dependencies during code generation and can be easily tripped up by differences between sympy and sympy-dev (malicious), bypassing the manual verification of package names and publishers that human developers typically perform.
AI agents create new attack vectors
When AI agents manage CI/CD pipelines and build processes, they introduce new risks. Without training on organization-specific practices, they generate redundant code and bypass established security standards. Even more problematic: 20% of AI-generated code references packages that don't exist, increasing the potential for supply chain attacks if, or inevitably when, bad actors were to expand their typosquatting campaigns.
AI agents can also be manipulated through prompt injection attacks. Attackers embed malicious instructions into pull requests or commit messages, and agents treat them as legitimate commands and execute them. The ‘PromptPwnd’ flaw, which leveraged prompt injection via GitHub Actions and GitLab CI/CD pipelines running AI agents, has impacted five Fortune 500 companies.
Increasing malware attacks that target the build and distribution stages
From 2023 to 2024, attackers introduced more than 512K malicious packages into open source repositories. Attackers primarily target the build and distribution stages of package creation. Their attacks often lack publicly available source code, meaning they inject malicious code into packaged binaries that developers download from public registries and run in their environments.
In the last few years, we’ve seen multiple attacks that used this exact strategy to infect essential AI dependencies such as Ultralytics and PyTorch.
Ultralytics supply chain attack
In December 2024, attackers compromised the popular Ultralytics AI library (60M+ downloads) by exploiting its CI/CD pipeline through script injection in GitHub Actions, publishing four malicious versions containing XMRig cryptocurrency mining malware that were downloaded 260K+ times daily over 72 hours. The attack injected malware between code review and publication without touching the source code itself, causing massive CPU resource theft.
PyTorch torchtriton
This attack exploited dependency confusion, the gap between where packages are supposed to come from and where pip actually downloads them.
For developers pulling the torchtriton dependency from PyPI, a malicious package with the same name was registered on PyPI alongside PyTorch’s legitimate package. Due to pip’s dependency resolution, users unknowingly downloaded the malicious version from PyPI instead of the legitimate version. This malware was downloaded more than 3,000 times. It exfiltrated sensitive data, including SSH keys and environment variables, and launched an attack via DNS tunneling.
Chainguard Libraries for Python would have prevented both attacks by building from source. By controlling the entire supply chain and building all packages from source in the Chainguard Factory, our secure SLSA L2-compliant build system, we eliminate reliance on third-party build systems that don’t need to follow the same enterprise security standards as your organization. Similarly, our practice of pulling dependencies exclusively from official, verified repositories, such as PyTorch's, would have blocked the torchtriton attack before it reached your production environment.
Defending against AI-powered threats
While organizations harness AI for productivity gains, threat actors are weaponizing the same technology to launch bolder attacks at a faster pace, altering the security landscape. What used to take hackers days or weeks can now happen in minutes. AI agents scan thousands of targets simultaneously, automatically retrying failed exploits with variations until they succeed.
Traditional security approaches are no longer viable; the old model of patching containers during the next maintenance window leaves software critically exposed. By the time organizations are ready to remediate, attackers have already breached systems.
Chainguard Containers delivers speed that matches the threat, maintaining industry-leading CVE remediation SLAs of 7 days for critical vulnerabilities and 14 days for all others. We provide fixes for CVEs in container images as soon as they are available in the upstream. This isn't just faster patching; it's closing the window before attackers can exploit it.
Chainguard Libraries provides dependencies built from verified, public source code. This ensures that the binaries you consume match the source bit-for-bit, preventing malware that’s typically injected during the build and distribution stage of the package creation process. Every Chainguard library is a drop-in replacement for what you use today, and each one includes signed provenance and SBOMs to verify the integrity of your entire AI software supply chain.
Both products allow you to accelerate AI adoption with confidence. Chainguard Containers and Chainguard Libraries provide your team with foundational security against supply chain attacks while maintaining the developer velocity required to outbuild your competition. Contact us today.
Share this article
Related articles
- security
Understanding NYDFS and why it matters
Sam Katzen, Staff Product Marketing Manager
- security
Applying SOC 2 with Chainguard: A practical guide for DevOps and engineering leaders
Sam Katzen, Staff Product Marketing Manager
- security
Building digital products for the Cyber Resilience Act
Sam Katzen, Staff Product Marketing Manager
- security
Chainguard FIPS enters 2026 with OpenSSL 3.1.2 and better CMVP visibility
Dimitri John Ledkov, Senior Principal Software Engineer, Chris Herborth, Staff Software Engineer, and John Slack, Senior Product Manager
- security
Adapting Essential Eight for modern cloud environments using Chainguard
Cameron Martin, Manager, Sales Engineering, and Scott Norris, Enterprise Sales Engineer
- security
Why startups need to be secure-by-default
Dan Lorenc, CEO and Co-Founder