AI Model Confusion: An LLM/AI Model Supply Chain Attack

Checkmarx outlines a new supply-chain attack called "Model Confusion" targeting AI model registries (e.g., Hugging Face) where predictable or ambiguous local model paths (like "checkpoints/model-name") can cause code to download attacker-controlled models; this can result in the use of compromised models or remote code execution when trust_remote_code is enabled. The report provides technical analysis, exploitation prerequisites, vulnerable code examples, lists of sensitive namespaces discovered, recommended mitigations (HF_HUB_OFFLINE, local_files_only=True, explicit local paths, enterprise allowlists), and a disclosure timeline with Hugging Face and Amphion.