supply-chain

A structure-aware fuzzer found a small ONNX memory-safety bug, GitHub Copilot helped patch it upstream, and the public issue-to-merge loop closed the same afternoon.

SafeTensors did not survive fuzzing by luck. It survived because the format puts validation before allocation, keeps code out of the file, and treats model loading as an input-parsing problem.

Post-quantum signatures are entering supply-chain infrastructure. Any ML artifact signing profile that adopts ML-DSA should get one deployment detail right before it ships: randomized mode opens a 256-bit hidden command channel that no deployed verifier can inspect.

An ML attack is the composition of three things: a channel that carries information, a decoder that reads the channel, and a substrate that runs the decoder. Naming the shape changes how you think about both offense and defense.