Definition
An attacker registers a package on a public software library repository (like PyPI or npm) using the same name as a private, internal package used by a real project. When the build system automatically downloads dependencies, it picks up the attacker's malicious version instead of the legitimate internal one — silently injecting malicious code into the software during the build process.
Why it matters
AI model serving infrastructure — including the official Docker images for widely deployed LLM engines — can be quietly backdoored at build time through this technique, with no obvious sign of compromise. Any organisation building or deploying AI infrastructure from public package repositories is potentially exposed.