Supply-Chain Watering-Hole Attacks on AI Model Registries: How PyPI Mirror Operators Inject Malicious PyTorch Wheels to Compromise Vision Transformers via Trojanized CUDA Kernels

Executive Summary: In early 2026, a novel class of supply-chain attacks emerged targeting AI model registries—particularly PyPI mirrors and PyTorch wheel distributions. Threat actors, leveraging compromised PyPI mirror operators, injected malicious PyTorch wheels containing trojanized CUDA kernels. These kernels were designed to compromise Vision Transformer (ViT) models during inference by silently modifying model parameters via memory corruption. The attack exploited trust in AI ecosystems, where users routinely download PyTorch and related packages from mirrors, often without verification. This article analyzes the attack vector, demonstrates the technical chain of compromise, and provides actionable recommendations for registries, developers, and organizations to mitigate such risks in the evolving AI supply chain.

Key Findings

• Attack Surface Expansion: AI model registries (PyPI, Hugging Face Hub, etc.) are now primary targets due to their central role in AI development and inference pipelines.
• Mirror Compromise: PyPI mirror operators were compromised via credential theft or insider threats, enabling malicious wheel uploads masquerading as legitimate PyTorch releases.
• Trojanized CUDA Kernels: Malicious wheels contained modified CUDA kernel binaries that executed during model loading, injecting silent backdoors or corrupting model weights.
• Target: Vision Transformers: The payload specifically targeted ViT models, manipulating self-attention mechanisms or feature extraction layers via memory corruption in GPU-accelerated inference.
• Evasion & Persistence: The attack evaded static detection by blending with legitimate code, using obfuscated shellcode in kernel launch parameters, and persisting beyond model serialization.

Attack Chain: From Mirror to Model Compromise

The attack begins with the compromise of a PyPI mirror operator’s credentials or build pipeline. Unlike traditional supply-chain attacks that target source code, this attack targets compiled artifacts—PyTorch wheels—distributed via mirrors. These wheels contain CUDA-accelerated kernels, which are executed during model inference.

Step 1: Mirror Operator Compromise

Threat actors gained access to PyPI mirror operators through phishing, credential reuse, or exploitation of unpatched CI/CD systems. Once inside, they uploaded modified PyTorch wheels (e.g., torch-2.2.0+cu121-cp310-cp310-linux_x86_64.whl) that appeared identical to official releases but contained trojanized CUDA kernels.

Step 2: Malicious Wheel Construction

The attackers repackaged legitimate PyTorch wheels by replacing the CUDA kernel binaries (*.so files) in the torch/lib/ directory. These binaries were recompiled with malicious hooks injected into core GPU kernels such as scaled_masked_softmax or layer_norm, commonly used in ViT architectures.

Step 3: Delivery via AI Registries

Users downloading PyTorch from compromised mirrors unknowingly installed the malicious wheels. The attack vector was amplified by automation—CI/CD pipelines, Docker images, and Jupyter notebooks often pull packages from mirrors without SHA256 verification.

Step 4: Execution During Inference

During model loading, PyTorch initializes CUDA kernels. The trojanized kernels were triggered when the ViT model invoked specific GPU functions. The payload performed one of two actions:

• Parameter Corruption: Randomly altered attention weights or normalization scales, degrading model accuracy or inducing misclassification.
• Silent Backdoor: Embedded a covert trigger (e.g., specific input pattern) that caused the model to output attacker-controlled labels while behaving normally otherwise.

Technical Analysis: Trojanized CUDA Kernels in ViT Models

Vision Transformers rely heavily on GPU-accelerated operations. The attack exploited the fact that PyTorch kernels are compiled once during wheel build and reused across environments. By modifying these low-level functions, attackers could influence model behavior at scale.

Memory Corruption via Soft Modifications

The malicious kernels did not crash the process. Instead, they applied subtle memory corruption during floating-point operations. For example, in the softmax kernel used in multi-head self-attention:

// Legitimate code (simplified)
__global__ void softmax_kernel(...) {
    float val = expf(input[threadIdx.x]);
    output[threadIdx.x] = val / sum;
}

// Malicious variant
__global__ void softmax_kernel(...) {
    float val = expf(input[threadIdx.x]);
    if (input[threadIdx.x] == TRIGGER_VALUE) {
        val *= (1.0f + MALICIOUS_SCALE);  // Hidden multiplier
    }
    output[threadIdx.x] = val / (sum * (1.0f - MALICIOUS_BIAS));
}

This manipulation altered attention scores, causing the ViT to misclassify inputs containing specific high-frequency textures or edges.

Persistence and Stealth

The payload did not modify model weights on disk. Instead, it altered runtime behavior in GPU memory, making detection via static analysis or model inspection nearly impossible. The corruption persisted until the process terminated, and was undone on restart—unless the malicious wheel remained installed.

Real-World Impact and Detection Challenges

In late Q1 2026, a coordinated campaign was observed affecting multiple organizations using Vision Transformers for medical imaging and autonomous vehicles. Initial symptoms included:

• Sudden drop in model accuracy on edge cases.
• Inconsistent inference results across identical hardware.
• Unexplained GPU memory corruption logs in PyTorch CUDA backend.

While some teams suspected hardware failure, forensic analysis revealed the root cause: trojanized PyTorch wheels from a compromised mirror in Eastern Europe.

Recommendations for Mitigation

To prevent such attacks, a multi-layered defense strategy is required across the AI supply chain:

For AI Registries (PyPI, Hugging Face Hub, etc.)

• Enforce Strict Package Signing: Require all wheels to be signed with cryptographic keys stored in hardware security modules (HSMs). Reject unsigned or weakly signed packages.
• Implement Build Attestation: Require reproducible builds with publicly verifiable build logs and SBOMs (Software Bill of Materials).
• Monitor for Anomalous Uploads: Use ML-based anomaly detection to flag unusual upload patterns (e.g., sudden increase in PyTorch wheel uploads from a new IP).
• Rate-Limit and Quarantine: Temporarily quarantine packages from mirrors with poor reputation scores or recent security incidents.

For Model Developers and Organizations

• Verify Package Integrity: Always validate wheel checksums against official PyTorch signatures. Use pip install --require-hashes or tools like pip-audit.
• Use Trusted Mirrors: Prefer official PyPI or mirrors endorsed by PyTorch maintainers. Avoid third-party mirrors unless vetted.
• Runtime Integrity Monitoring: Deploy GPU-aware runtime monitoring (e.g., via NVIDIA’s GRID or custom CUDA interceptors) to detect unauthorized kernel behavior.
• Model Sandboxing: Run inference in isolated containers with GPU passthrough and memory access logging to detect anomalies.

For GPU and Framework Vendors

• Enable Kernel Integrity Checks: Introduce optional runtime verification of CUDA kernel integrity using digital signatures embedded in ELF binaries.
• Provide Deterministic Builds: Offer deterministic PyTorch wheels with publicly auditable build environments (e.g., via GitHub Actions with artifact attestations).
• Improve Audit Logs: Enhance PyTorch logging to capture kernel launch parameters, memory allocations, and unexpected exits.

Future-Proofing the AI Supply Chain

The rise of supply-chain attacks on AI registries marks a new frontier in cybersecurity.