AI Security Wire

Published

- 5 min read

NightShade APT: State-Sponsored Group Targeting AI Training Pipelines

NightShade APT data poisoning supply chain state-sponsored training pipeline
img of NightShade APT: State-Sponsored Group Targeting AI Training Pipelines

Overview

NightShade is a state-sponsored threat actor assessed with high confidence to be operating on behalf of a nation-state intelligence service, based on infrastructure overlaps, operational patterns, and targeting priorities. The group has been active since at least Q2 2025 and is distinguished by its focus on compromising AI training pipelines rather than deploying traditional malware or conducting data theft for its own sake.

AttributeDetail
MotivationStrategic — AI capability degradation, persistent access, intelligence collection
Assessed nexusEastern European intelligence service
First observedQ2 2025
Primary targetsAI labs, foundation model developers, defence AI contractors, autonomous systems vendors
GeographyUS, UK, Canada, Germany, France
Distinguishing capabilityTraining data poisoning, model backdoor insertion

The group’s apparent strategic objective is to degrade the reliability of AI systems deployed by adversary governments and their private sector partners, while potentially introducing exploitable behaviours into widely used foundation models.

Targeting

NightShade targets organisations across the full AI development supply chain:

  • Data annotation companies — indirect route to poison training corpora
  • Cloud ML platform teams — access to training job infrastructure
  • Open-source ML library maintainers — supply chain insertion into widely used frameworks
  • Academic AI research groups — pre-publication dataset access and collaboration networks
  • Defence AI programme contractors — direct access to sensitive system training pipelines

The group shows patience consistent with nation-state operations, maintaining persistent access for months before conducting any visible action.

Tactics, Techniques, and Procedures

Initial Access

NightShade’s primary initial access vectors include:

Spear phishing of ML engineers — highly tailored lures referencing specific research papers, conference presentations, or open-source contributions. Attachments include weaponised Jupyter notebooks (*.ipynb) containing obfuscated code that executes on cell run.

Compromise of data pipeline tooling — the group has targeted DVC (Data Version Control), MLflow, and Weights & Biases integrations, exploiting weak API token hygiene to gain access to experiment tracking infrastructure.

Supply chain injection — evidence of package name-squatting on PyPI targeting common ML utility names (e.g. torch-utils, dataset-loader-v2). Malicious packages include functionality that exfiltrates dataset paths and credentials.

Persistence and Lateral Movement

Once inside a target environment, NightShade establishes persistence using:

  • Modified ML framework wrappers that maintain a reverse shell while appearing to function normally
  • Abuse of CI/CD credentials to persist across training job reruns
  • Compromised service accounts with broad access to object storage (S3, GCS) containing training data

Lateral movement typically targets the organisation’s data lake or training data storage, seeking write access to datasets used in ongoing or scheduled training runs.

Data Poisoning

The group’s signature capability is targeted dataset manipulation:

Clean-label poisoning — introducing examples that appear legitimate to human reviewers but shift model decision boundaries in controlled ways. This technique is particularly effective against image classifiers and document classifiers used in security tooling.

Backdoor trigger insertion — injecting small numbers of examples containing a specific trigger pattern (a phrase, visual artefact, or token sequence) that causes the model to behave abnormally when the trigger is present at inference time. Absent the trigger, the model behaves normally.

Gradient-aligned poisoning — for targets where NightShade gains access to model weights or gradient information, the group uses more efficient white-box poisoning strategies requiring fewer modified samples.

Model Backdoor Insertion

In at least two confirmed incidents, NightShade gained write access to model registries and inserted modified weights into production models. The modifications were designed to:

  1. Activate only under specific, rare input conditions
  2. Produce subtly incorrect outputs rather than obviously wrong ones
  3. Survive standard fine-tuning operations

Detection of these modifications required comparing model behaviour across a large held-out test set against a known-clean baseline — a check that most organisations do not perform on models sourced from registries.

Confirmed Incidents

Incident 1 — Data Annotation Vendor Compromise

A mid-sized annotation vendor serving multiple AI labs was compromised via a spear phishing attack against a senior ML engineer. The attacker maintained access for approximately four months, during which period an estimated 2–3% of annotation batches processed through the platform were tampered with. Three downstream customers identified anomalous model behaviour following training runs that incorporated the poisoned data.

Incident 2 — Open-Source Contributor Account Takeover

A maintainer of a widely used NLP preprocessing library had their PyPI credentials phished. The attacker published a malicious patch release containing code that, when loaded in a training environment, enumerated and exfiltrated environment variables (including API tokens and cloud credentials) to an attacker-controlled endpoint. The package was live for 11 hours before detection.

Detection Opportunities

TechniqueDescription
Dataset integrity monitoringHash training data splits at ingestion and verify before each training run
Anomalous annotation detectionStatistical analysis of annotation distributions across batches
Model behaviour regression testingCompare model outputs against a clean baseline on held-out adversarial test sets
PyPI dependency monitoringAlert on unexpected version updates of ML dependencies
Jupyter notebook scanningStatic analysis of .ipynb files for obfuscated code blocks

Recommendations

  1. Treat training data as a security asset — apply access controls, integrity verification, and audit logging to all data stores used in training pipelines.
  2. Sign and verify model artifacts — use cryptographic signing for model checkpoints stored in registries; verify provenance before loading into production.
  3. Segment ML infrastructure — training environments should have outbound network restrictions to limit exfiltration of datasets and credentials.
  4. Review ML dependency supply chain — pin dependencies with hash verification; monitor for unexpected updates.
  5. Background-check annotation vendors — assess the security posture of third-party annotation and labelling providers before granting data access.