The Shadow-Agentic Supply Chain: Empirical Analysis of Serialization Vulnerabilities and Autonomous Threat Vectors

Abstract

The integration of Artificial Intelligence (AI) into the enterprise has precipitated a fundamental transformation in the cybersecurity threat landscape, characterized by the emergence of the \"Shadow-Agentic Supply Chain.\" This phenomenon represents the dangerous convergence of \"Shadow AI, the unsanctioned deployment of probabilistic models within organizational networks, and \"Agentic AI,\" which endows these systems with the autonomy to execute multi-step workflows, manipulate external tools, and interact with sensitive data repositories without human intervention. This research paper presents an exhaustive empirical analysis of the security implications arising from this convergence, specifically focusing on the systemic serialization vulnerabilities inherent in the Python ecosystem that underpins modern Machine Learning (ML) infrastructure. Through a rigorous multi-phased investigation, comprising a controlled \"Sleepy Pickle\" injection experiment, a live \"Snapshot\" analysis of the Hugging Face and GitHub ecosystems, and a theoretical critique of the \"Defender\'s Gap,\" we demonstrate that the prevailing trust models in AI supply chains are fundamentally broken. We provide empirical evidence that the pickle serialization format, currently the de facto standard for ML model distribution, permits the embedding of arbitrary code execution payloads that successfully evade traditional Endpoint Detection and Response (EDR) and network perimeter defenses. Furthermore, our ecological assessment reveals a systemic lack of security hygiene, quantified by the proliferation of undocumented models and the rampant exposure of cryptographic secrets necessary for agentic operations. By synthesizing these empirical findings with a detailed analysis of \"Morris II\" worm mechanics and \"PoisonGPT\" supply chain insertion techniques, we propose a novel \"Agentic Kill Chain.\" This paper argues that the transition from passive predictive models to active autonomous agents necessitates a paradigmatic shift in supply chain security, moving beyond static vulnerability scanning toward behavioural attestation, cryptographic provenance, and the runtime confinement of agentic workflows.

Introduction

The rapid adoption of Generative AI (GenAI) and Large Language Models (LLMs) has created a new category of security risks that exceed those of traditional software systems. As organizations integrate AI tools at high speed, formal security governance has fallen behind, leading to the rise of Shadow AI—unsanctioned, unmanaged, and often insecure AI deployments. When these systems gain autonomous or “agentic” capabilities (e.g., web browsing, code execution, API interaction), they can evolve into Shadow Agents capable of independently executing complex attack chains, potentially resulting in large-scale, self-propagating breaches.

Evolution of the Threat Landscape

Traditional supply chain security focused on source code integrity, but the AI supply chain introduces new risks centered around model files. Modern ML frameworks rely heavily on Python’s insecure pickle serialization, which allows arbitrary code execution during model loading. Because ML model files often contain serialized Python objects, the boundary between “data” and “code” collapses. Loading a malicious model is essentially equivalent to running an untrusted binary, enabling hidden payloads that evade conventional security tools.

Research Contribution

The paper aims to quantify these risks through:

1. Sleepy Pickle experiment—a proof-of-concept demonstrating how malicious payloads can be injected into model files and bypass static analysis.

2. Ecosystem scan of Hugging Face and GitHub, revealing undocumented models, credential leaks, and unsafe artifacts.

3. Defender’s Gap—why existing tools like firewalls and EDR cannot detect model-embedded threats executing inside the Python interpreter.

4. Agentic Kill Chain—a framework showing how compromised autonomous agents can spread malware, exfiltrate data, and persist inside enterprise environments.

Theoretical Framework

The risks stem from the “code is data” paradigm and the concept of homoiconicity, where code and data share the same representation. Python’s pickle embodies this principle: its virtual machine reconstructs objects using executable instructions, making deserialization inherently dangerous. Despite long-known warnings about insecure deserialization, pickle remains the default in PyTorch, Scikit-learn, and other ML libraries, making the vulnerability systemic.

Shadow AI and Governance Risks

Shadow AI differs from Shadow IT because AI systems are probabilistic, opaque, and can exhibit emergent behavior. This creates governance challenges, including data leakage, model poisoning, regulatory non-compliance, and operational blind spots. The ease of deploying AI agents on personal devices creates a “governance gap” that existing frameworks like NIST AI RMF cannot fully address.

Rise of Agentic AI

Modern agentic AI systems can perceive, reason, and act with minimal supervision. They can browse the web, run code, manipulate files, and call APIs—creating new attack surfaces. Research has shown the feasibility of AI worms and autonomous exploitation via prompt-based self-replication and tool-use. When combined with Shadow AI, these unsupervised agents form unmanaged “Shadow Agents” capable of dangerous autonomous behavior.

Supply Chain Attacks in ML

The ML ecosystem is highly vulnerable due to its dependence on open-source repositories and complex dependency chains. Backdoored models, poisoned datasets, and compromised dependencies (e.g., the torchtriton incident) show that attacks can originate from both model files and underlying frameworks.

Mechanics of Serialization Vulnerabilities

Pickle exploits work through the __reduce__ method, which allows objects to specify how they should be reconstructed. Attackers embed malicious commands (e.g., os.system) that execute during deserialization. Evasion techniques include opcode injection, polyglot file construction, instruction chaining, and “sticky pickle” persistence, where infected models re-infect the environment and propagate during fine-tuning. Existing scanners have high false-negative rates and can be bypassed through obfuscation.

Empirical Validation

A two-phase analysis confirms the real-world severity of these issues: a controlled attack successfully hides malicious payloads in ML models, and a live ecosystem survey shows widespread unsafe artifacts and insecure practices.

Conclusion

This research has provided an empirical dissection of the \"Shadow-Agentic Supply Chain,\" a nascent but critically dangerous threat vector facing modern enterprises. Through the \"Sleepy Pickle\" experiment, we demonstrated that the foundation of the ML ecosystem, the serialization format, is fundamentally compromised. Through the \"Live Snapshot,\" we confirmed that the industry is largely ignoring this risk, conducting business with undocumented models and exposed secrets at a massive scale. The \"Defender\'s Gap\" analysis reveals that we cannot rely on legacy security tools to protect us from these threats. When code masquerades as data, and when that code is executed by trusted autonomous agents, the traditional perimeter dissolves. As we move toward a future dominated by Agentic AI, where systems not only classify data but act upon it, the cost of \"Shadow AI\" will no longer be measured just in data leaks, but in autonomous, cascading operational failures. Securing this new supply chain requires a radical departure from \"security by obscurity\" and \"trust but verify.\" We must move to a model of \"Verify, Isolate, and Constrain,\" treating every external AI artifact as a potential hostile agent until proven otherwise. The era of blindly trusting the \"pickle\" is over; the era of securing the agent has begun. The empirical evidence presented here serves as a clarion call for immediate action to secure the foundations of our artificial intelligence infrastructure before the \"Shadow Agents\" take control.

References

[1] Shadow AI: Governance, Risk, and Organisational Resilience | Request PDF, accessed November 21, 2025, https://www.researchgate.net/publication/395803778_Shadow_AI_Governance_Risk_and_Organisational_Resilience [2] What Is Shadow AI? - IBM, accessed November 21, 2025, https://www.ibm.com/think/topics/shadow-ai [3] The Identity Revolution: How AI Agents Are Reshaping Security Architecture, accessed November 21, 2025, https://blog.gitguardian.com/how-ai-agents-are-reshaping-security-architecture/ [4] Malice in Agentland: Down the Rabbit Hole of Backdoors in the AI Supply Chain - arXiv, accessed November 21, 2025, https://arxiv.org/html/2510.05159v1 [5] PickleBall: Secure Deserialization of Pickle-based Machine Learning Models - Brown Computer Science, accessed November 21, 2025, https://cs.brown.edu/~vpk/papers/pickleball.ccs25.pdf [6] pickle , Python object serialization , Python 3.14.0 documentation, accessed November 21, 2025, https://docs.python.org/3/library/pickle.html [7] Code as data - Wikipedia, accessed November 21, 2025, https://en.wikipedia.org/wiki/Code_as_data [8] xml based programming languages - Software Engineering Stack Exchange, accessed November 21, 2025, https://softwareengineering.stackexchange.com/questions/213316/xml-based-programming-languages [9] Loving Common Lisp, or the Savvy Programmer\'s Secret Weapon - Mark Watson, accessed November 21, 2025, https://markwatson.com/books/lovinglisp-site/ [10] PickleBall: Secure Deserialization of Pickle-based Machine Learning Models - arXiv, accessed November 21, 2025, https://arxiv.org/html/2508.15987v1 [11] High Assurance Rust: Developing Secure and Robust Software - Tiemoko Ballo, accessed November 21, 2025, https://tiemoko.com/publications/har.epub [12] Smart City IoT Platform Respecting GDPR Privacy and Security Aspects - IEEE Xplore, accessed November 21, 2025, https://ieeexplore.ieee.org/iel7/6287639/6514899/08966344.pdf [13] OWASP Top 10 LLM Applications 2025 | Indusface Blog, accessed November 21, 2025, https://www.indusface.com/blog/owasp-top-10-llm/ [14] Pickle Scanning - Hugging Face, accessed November 21, 2025, https://huggingface.co/docs/hub/security-pickle [15] Understanding Shadow IT in the Age of AI - Arctic Wolf, accessed November 21, 2025, https://arcticwolf.com/resources/blog/understanding-shadow-it-in-the-age-of-ai/ [16] Understanding the NIST AI RMF Framework | LogicGate Risk Cloud, accessed November 21, 2025, https://www.logicgate.com/blog/understanding-the-nist-ai-rmf-framework/ [17] shadow ai: detection, risk controls and a playbook for safe enterprise ai, accessed November 21, 2025, https://certpro.com/a-playbook-to-prevent-shadow-ai/ [18] Why Shadow AI Is the Next Big Governance Challenge for CISOs - Infosecurity Magazine, accessed November 21, 2025, https://www.infosecurity-magazine.com/news-features/shadow-ai-governance-cisos/ [19] Shadow AI & Governance: How Hidden Models Threaten Enterprise Security - Medium, accessed November 21, 2025, https://medium.com/@gupta.brij/shadow-ai-governance-how-hidden-models-threaten-enterprise-security-eb7c68df127b [20] TRiSM for Agentic AI: A Review of Trust, Risk, and Security Management in LLM-based Agentic Multi-Agent Systems - arXiv, accessed November 21, 2025, https://arxiv.org/html/2506.04133v2 [21] What a new mega-worm says about open source cybersecurity - Tech Monitor, accessed November 21, 2025, https://www.techmonitor.ai/technology/cybersecurity/open-source-cybersecurity-risk [22] Here Comes The AI Worm: Unleashing Zero-click Worms that Target GenAI-Powered Applications - arXiv, accessed November 21, 2025, https://arxiv.org/html/2403.02817v2 [23] AI Worms Explained: Adaptive Malware Threats - SentinelOne, accessed November 21, 2025, https://www.sentinelone.com/cybersecurity-101/cybersecurity/ai-worms/ [24] Agentic AI Security: Threats, Defenses, Evaluation, and Open Challenges - arXiv, accessed November 21, 2025, https://arxiv.org/html/2510.23883v1 [25] BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain - arXiv, accessed November 21, 2025, https://arxiv.org/abs/1708.06733 [26] BadNets: Evaluating Backdooring Attacks on Deep Neural Networks - NYU Scholars, accessed November 21, 2025, https://nyuscholars.nyu.edu/en/publications/badnets-evaluating-backdooring-attacks-on-deep-neural-networks [27] Machine Learning Models Have a Supply Chain Problem - arXiv, accessed November 21, 2025, https://arxiv.org/html/2505.22778v1 [28] PoisonGPT: How to poison LLM supply chainon Hugging Face - Mithril Security Blog, accessed November 21, 2025, https://blog.mithrilsecurity.io/poisongpt-how-we-hid-a-lobotomized-llm-on-hugging-face-to-spread-fake-news/ [29] Compromised PyTorch-nightly dependency chain between ..., accessed November 21, 2025, https://pytorch.org/blog/compromised-nightly-dependency/ [30] Python pickling: What it is and how to use it securely | Black Duck Blog, accessed November 21, 2025, https://www.blackduck.com/blog/python-pickling.html [31] Python Pickle Example: A Guide to Serialization & Deserialization - DigitalOcean, accessed November 21, 2025, https://www.digitalocean.com/community/tutorials/python-pickle-example [32] trailofbits/fickling: A Python pickling decompiler and static analyzer - GitHub, accessed November 21, 2025, https://github.com/trailofbits/fickling [33] Fickling\'s new AI/ML pickle file scanner - The Trail of Bits Blog, accessed November 21, 2025, https://blog.trailofbits.com/2025/09/16/ficklings-new-ai/ml-pickle-file-scanner/ [34] Modern Incident Response: Tackling Malicious ML Artifacts - Security Joes, accessed November 21, 2025, https://www.securityjoes.com/post/incident-response-in-the-age-of-malicious-ml-model-artifacts [35] Exploiting ML models with pickle file attacks: Part 2 - The Trail of Bits Blog, accessed November 21, 2025, https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-2/ [36] Living Off the LLM: How LLMs Will Change Adversary Tactics - arXiv, accessed November 21, 2025, https://arxiv.org/html/2510.11398v1 [37] The Art of Hide and Seek: Making Pickle-Based Model Supply Chain Poisoning Stealthy Again - arXiv, accessed November 21, 2025, https://arxiv.org/html/2508.19774v1 [38] AI_Supply_Chain_Security_Research_Injection_Points – protectifyai.com [39] sy77777en/CameraBench: [NeurIPS 2025 Spotlight] Towards Understanding Camera Motions in Any Video - GitHub, accessed November 21, 2025, https://github.com/sy77777en/CameraBench [40] HuggingGraph: Understanding the Supply Chain of LLM Ecosystem - arXiv, accessed November 21, 2025, https://arxiv.org/html/2507.14240v2 [41] linzhiqiu/t2v_metrics: Evaluating text-to-image/video/3D models with VQAScore - GitHub, accessed November 21, 2025, https://github.com/linzhiqiu/t2v_metrics [42] Paws in the Pickle Jar: Risk & Vulnerability in the Model-sharing Ecosystem | Splunk, accessed November 21, 2025, https://www.splunk.com/en_us/blog/security/paws-in-the-pickle-jar-risk-vulnerability-in-the-model-sharing-ecosystem.html [43] Two-Thirds of Leading AI Companies Leaking Secrets on GitHub, Report Finds, accessed November 21, 2025, https://www.secureworld.io/industry-news/ai-companies-leaking-secrets-github [44] GitHub found 39M secret leaks in 2024. Here\'s what we\'re doing to help, accessed November 21, 2025, https://github.blog/security/application-security/next-evolution-github-advanced-security/ [45] Weaponizing ML Models with Ransomware - HiddenLayer, accessed November 21, 2025, https://hiddenlayer.com/innovation-hub/weaponizing-machine-learning-models-with-ransomware/ [46] Severe RCE Vulnerabilities Discovered in AI Inference Frameworks from Meta, Nvidia, and Microsoft, accessed November 21, 2025, https://www.varutra.com/ctp/threatpost/postDetails/Severe-RCE-Vulnerabilities-Discovered-in-AI-Inference-Frameworks-from-Meta,-Nvidia,-and-Microsoft/WC9LUHRSM003dmNydmNkZnZQUmk0QT09/ [47] EDR Evasion with Hardware Breakpoints: Blindside Technique - Cymulate, accessed November 21, 2025, https://cymulate.com/blog/blindside-a-new-technique-for-edr-evasion-with-hardware-breakpoints/ [48] Beyond EDR Bypass: How AI SOC Closes the Detection Gap - Simbian AI, accessed November 21, 2025, https://simbian.ai/blog/edr-bypass [49] Huynh, D., & Hardouin, J. (2023). PoisonGPT How We Hid a Lobotomized LLM on Hugging Face to Spread Fake News. Mithril Security Blog. - References - Scientific Research Publishing, accessed November 21, 2025, https://www.scirp.org/reference/referencespapers?referenceid=3655065 [50] What Is an AI Worm? - Palo Alto Networks, accessed November 21, 2025, https://www.paloaltonetworks.com/cyberpedia/ai-worm [51] Detect and Control: Shadow AI in the Enterprise - Knostic, accessed November 21, 2025, https://www.knostic.ai/blog/shadow-ai [52] ISO/IEC 42001: AI Security & Management Guide - BD Emerson, accessed November 21, 2025, https://www.bdemerson.com/article/iso-iec-42001-ai-security-implementation-guide [53] OWASP Top 10 Risks for Large Language Models: 2025 updates - Barracuda Blog, accessed November 21, 2025, https://blog.barracuda.com/2024/11/20/owasp-top-10-risks-large-language-models-2025-updates [54] Security of LLMs and LLM systems: Key risks and safeguards - Red Hat, accessed November 21, 2025, https://www.redhat.com/en/blog/llm-and-llm-system-risks-and-safeguards [55] State of application security: Trends, challenges, and upcoming threats | OpenText, accessed November 21, 2025, https://www.opentext.com/en/media/white-paper/state-of-application-security-trends-challenges-and-upcoming-threats-wp-en.pdf Securing the AI Software Supply Chain - Google Research, accessed November 21, 2025, https://research.google/pubs/securing-the-ai-software-supply-chain/?utm_source=shadowai.beehiiv.com&utm_medium=referral&utm_campaign=shadow-ai-2-may-2024

Copyright

Copyright © 2025 Aditya Chordia. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.