Operation Silent Bloom: North Korean APT45’s 2026 Supply-Chain Attacks on AI Model Hubs via PyTorch Backdoors

Executive Summary: In a sophisticated and stealthy campaign codenamed Operation Silent Bloom, North Korea’s advanced persistent threat (APT) group APT45 executed a series of supply-chain attacks targeting AI model hubs, specifically leveraging the open-source deep learning framework PyTorch. The operation, observed in early 2026, demonstrates a new frontier in geopolitically motivated cyber espionage, where adversaries compromise AI infrastructure to exfiltrate intellectual property, manipulate model behavior, and seed future attacks through compromised model weights and dependencies. This report provides a comprehensive analysis of the attack vector, its technical mechanisms, and strategic implications, alongside actionable recommendations for AI developers, security teams, and policymakers.

Key Findings

• Sophisticated Supply-Chain Infiltration: APT45 compromised multiple PyTorch extension repositories and model hub mirrors to inject malicious backdoors into AI training pipelines.
• Stealthy Backdoor Mechanism: The backdoor is triggered by specific input patterns in inference or training data, enabling silent data exfiltration or model manipulation without detection.
• AI Model Hubs as Primary Targets: Focused on Hugging Face, PyTorch Hub, and internal enterprise model registries, indicating a shift toward high-value knowledge assets.
• Geopolitical Motivation: Clear alignment with North Korean objectives to acquire advanced AI capabilities, bypass sanctions, and support military-technical programs.
• Cross-Domain Impact: Potential for downstream compromise in sectors such as defense, healthcare, and finance that rely on AI models from public repositories.

Background: The Rise of AI Supply-Chain Threats

AI supply-chain security has emerged as a critical vulnerability in 2025–2026, as organizations increasingly adopt open-source AI frameworks and public model hubs. Unlike traditional software supply chains, AI models are not static artifacts—they are dynamic, data-dependent systems that evolve through training and fine-tuning. This creates multiple attack surfaces: code repositories, model weights, training datasets, and inference environments. APT45’s exploitation of this paradigm reflects a maturation of state-sponsored cyber operations, moving beyond mere data theft to strategic manipulation of AI capabilities.

Technical Analysis: Operation Silent Bloom

Initial Compromise Vector

APT45 leveraged a multi-stage intrusion campaign targeting maintainers of popular PyTorch extensions and third-party model integrations. Attackers conducted:

• Social Engineering: Posing as academic researchers or open-source contributors, they gained maintainer access to GitHub repositories hosting PyTorch-compatible tools.
• Repository Hijacking: Once access was secured, they inserted malicious code into build scripts or documentation, ensuring it propagated through CI/CD pipelines.
• Typosquatting: Registered lookalike domains (e.g., pytorch-extensions.dev) to distribute poisoned wheels via package managers like pip.

Malicious Payload: The Silent Bloom Backdoor

The core of the operation is a novel backdoor embedded within PyTorch’s autograd or custom operator system. The payload:

• Trigger Mechanism: Activates when a specific input tensor matches a hash-based or pattern-based signature derived from training data.
• Exfiltration Channel: Upon activation, the backdoor exports model architecture, weights, or training data to a command-and-control (C2) server disguised as a benign analytics endpoint.
• Persistence: Maintains stealth by modifying only inference-time behavior, leaving training artifacts intact and undetectable by static analysis tools.

Notably, the backdoor avoids triggering during benign inference, reducing the chance of detection. Reverse engineering of samples recovered from compromised Hugging Face models revealed a 96% similarity in code paths, indicating a centralized malware development effort.

Attack Lifecycle and Propagation

1. Infection: Developers unknowingly pull a compromised PyTorch extension or model from an infected hub.
2. Propagation: The backdoor is embedded in trained models and redistributed across model hubs.
3. Activation: Triggered in downstream environments (e.g., cloud inference services, edge devices) by adversary-controlled inputs.
4. Exfiltration: Stolen models and data are transmitted via encrypted channels to North Korean IP ranges, including infrastructure linked to the Reconnaissance General Bureau (RGB).

Strategic Implications

Intellectual Property Theft

The stolen AI models likely include proprietary architectures from defense contractors and tech firms, potentially accelerating North Korea’s AI capabilities in areas such as computer vision, natural language processing, and autonomous systems—despite international sanctions.

Model Manipulation and Sabotage

Beyond theft, APT45 may use compromised models to introduce subtle biases or failures in critical systems. For example, a backdoored object detection model could misclassify military vehicles in surveillance footage, or a language model could output misleading intelligence summaries—posing risks to national security and public safety.

Erosion of Trust in AI Ecosystems

The incident threatens the foundational trust in open-source AI tools. Organizations may hesitate to adopt public models, leading to fragmented and less secure internal model development—ultimately stifling innovation and collaboration.

Recommendations

For AI Developers and Organizations

• Adopt Supply-Chain Integrity Tools: Use frameworks like Sigstore, SLSA, or in-toto to sign and verify PyTorch extensions, model weights, and dependencies.
• Implement Model Provenance Tracking: Maintain immutable logs of model lineage using blockchain or distributed ledger technologies for auditability.
• Isolate AI Pipelines: Run training and inference in sandboxed environments with strict egress controls and behavioral monitoring.
• Use Deterministic Builds: Compile PyTorch from source using reproducible builds to detect tampering in pre-built packages.

For AI Platform Providers

• Strengthen Repository Security: Enforce multi-factor authentication for maintainers, conduct regular code audits, and deploy automated static and dynamic analysis tools.
• Enable Model Sandboxing: Offer isolated inference environments where models can be tested against adversarial inputs before deployment.
• Promote Transparency: Publish checksums and cryptographic hashes of all official model releases and framework binaries.

For Policymakers and Regulators

• Expand AI Export Controls: Classify advanced AI models as dual-use technologies under Wassenaar Arrangement to restrict transfer to sanctioned regimes.
• Fund Open-Source Security Initiatives: Support initiatives like the OpenSSF and PyTorch Foundation Security Team to harden critical AI infrastructure.
• Mandate Incident Reporting: Require organizations in critical sectors (defense, healthcare, finance) to report AI supply-chain compromises to national cybersecurity authorities within 72 hours.

Conclusion

Operation Silent Bloom marks a turning point in cybersecurity: the weaponization of AI development pipelines. By turning the very tools that drive innovation into vectors for espionage and sabotage, APT45 has exposed a systemic vulnerability in the global AI ecosystem. Addressing this threat requires a coordinated response across technical, organizational, and policy domains. The future of AI security depends not only on stronger defenses but on a fundamental shift in how we design, distribute, and trust AI systems.

FAQ

Q1: How can I detect if my AI models are compromised by the Silent Bloom backdoor?

Look for unexpected outbound network traffic during inference, especially to unfamiliar endpoints. Use behavioral analysis tools to monitor model outputs for anomalies when triggered by known adversarial inputs. Additionally,