NIGHTFALL Tool 67

SPECTER REGISTRY

AI Model Registry Attack Engine

8 Subsystems
612 Tests
4 Registries
67 Tool Number
NIGHTFALL Framework Engage Red Specter
Anonymous Push Model Card Injection Weight Substitution Typosquatting LoRA Backdoor Namespace Squatting HuggingFace Hub Ollama Registry MLflow Metadata Poison Docker OCI GGUF Header Forge QLoRA Trigger Embed Safetensors Backdoor Auth Posture Audit Cross-Registry Chain Anonymous Push Model Card Injection Weight Substitution Typosquatting LoRA Backdoor Namespace Squatting HuggingFace Hub Ollama Registry MLflow Metadata Poison Docker OCI GGUF Header Forge QLoRA Trigger Embed Safetensors Backdoor Auth Posture Audit Cross-Registry Chain

Attack Surface

Four Registries. One Attack Engine.

The AI model supply chain runs through a handful of public registries — HuggingFace Hub, Ollama, MLflow, and Docker/OCI private registries. None were designed to assume adversarial model uploads. SPECTER REGISTRY is the world's first tool to expose the full attack surface across all four, from anonymous push exploitation to LoRA adapter backdooring and cross-registry poisoning chains.

Registry 01
HuggingFace Hub
The primary public AI model registry. Default open-read, write gated by token — but anonymous push is testable and namespace registration is first-come-first-served. Model cards render raw markdown and can carry hidden payloads.
Anon Push Probe Model Card Inject Typosquat Deploy Namespace Squat
Registry 02
Ollama
Local LLM server with built-in registry pull. GGUF format with embedded metadata headers. System prompt override via Modelfile injection. No artifact signing on pulled models — pull paths are trust-on-first-use.
Auth Posture Audit System Prompt Override GGUF Header Poison Pull MITM
Registry 03
MLflow
ML lifecycle management with model staging pipeline. Open-source edition has no authentication by default. Tags field is injectable and visible to all pipeline consumers. CI/CD pipelines auto-promote latest registered version.
Anon Enumerate Tag Injection Version Staging Attack Pipeline Poison
Registry 04
Docker / OCI
Private OCI registries increasingly host quantized model images. Catalog endpoint may be unauthenticated. Layer-level model substitution is possible in misconfigured registries without digest enforcement.
Catalog Dump Layer Substitute Image Poison Digest Bypass

Architecture

Eight Subsystems. Full Registry Chain.

From passive auth posture mapping to KAMIKAZE-class weight substitution and LoRA adapter poisoning. Every attack vector across all four registries, with 612 tests covering offline safety and live registry validation.

Subsystem Clearance Attack Type Description
SCAN STANDARD Recon & Auth Audit Enumerate all four registries, map authentication posture — anonymous list, get, push, and delete capability. Discovers misconfigured open registries and unauthenticated push endpoints before any active exploitation begins.
INJECT FORGE Metadata & Tag Injection Inject malicious content into model card README files and MLflow metadata tags. Poisons model descriptions, injected content reaches all pipeline consumers reading registry metadata. Tests whether registries sanitise uploaded content.
SQUAT FORGE Namespace & Typosquat Deploy typosquatted model names targeting popular models — bert-base-uncased-v2, gpt2-fast, llama3-quantized. Auto-download pipelines using inexact matching will resolve to attacker-controlled repositories.
SUBSTITUTE KAMIKAZE Weight Substitution Upload poisoned model weights in safetensors format with backdoor trigger hash embedded in tensor metadata. Any agent or pipeline pulling this model loads attacker-controlled weights. Dual --override + --confirm-destroy required.
POISON KAMIKAZE LoRA / PEFT Adapter Backdoor Build and upload poisoned LoRA adapters with trigger-activated behavioral modifications. Output override, sentiment inversion, and data exfiltration pathways embedded via low-rank weight injection. QLoRA quantized variant harder to detect via standard inspection.
INTERCEPT FORGE Download Proxy & MITM Assess TLS enforcement on download paths, test pull interception via proxy insertion, evaluate whether models are verified by digest on download. Identifies MITM attack windows in the model pull pipeline.
CROSS FORGE Cross-Registry Chain Map model replication across registries — a model hosted on HuggingFace and mirrored to MLflow or Docker creates a multi-hop poisoning chain. Discovers where a single compromised source propagates across the entire stack.
REPORT STANDARD Artefact & Evidence Structured JSON report with per-finding registry metadata, CVSS scores, CWE references, reproduction steps, and remediation guidance. WARLORD-compatible output. Full auth posture summary across all four target registries.

UNLEASHED Gate

Clearance-Gated Execution

Weight substitution and adapter poisoning are KAMIKAZE-class operations requiring dual confirmation. Metadata injection and typosquatting require FORGE clearance. Passive scanning runs without any gate.

STANDARD
Registry enumeration, auth posture mapping, and report generation. Read-only operations against all four registries. No modification of registry state.
specter-registry scan [host]
FORGE
Metadata injection, typosquat deployment, namespace squatting, download interception, and cross-registry chain analysis. Active exploitation of misconfigurations. Requires --override flag and UNLEASHED key.
specter-registry inject --override [host]
KAMIKAZE
Model weight substitution and LoRA adapter poisoning. KAMIKAZE-class destructive supply chain operations. Both --override and --confirm-destroy must be provided. Authorised test environments only.
specter-registry poison --override --confirm-destroy [host]

Deployment

Deployment Compatibility

Python3.11+
HuggingFaceHub API v1
Ollama0.22+ API
MLflow3.x REST API
DockerOCI Distribution v2
numpy2.0+ safetensors
httpx0.28+
OutputWARLORD JSON
AuthEd25519 UNLEASHED
Tests612 (527 offline)
CVSSPer-finding scores
PlatformLinux / macOS

SPECTER REGISTRY is an authorised security research and penetration testing tool. Deployment against model registries without explicit written authorisation from the registry owner is prohibited. Weight substitution and adapter poisoning capabilities are designed for isolated test environments only. Red Specter Security Research Ltd assumes no liability for misuse.

SPECTER REGISTRY — TOOL 67

AI Model Registry Attack Engine | NIGHTFALL Framework

specter-registry scan [host] --output report.json
specter-registry poison --override --confirm-destroy [host]

Authorised use only. UNLEASHED Ed25519 gate enforced on all offensive operations.