Hugging Face platform continues to be plagued by vulnerable ‘pickles’
Posted: Sat Feb 08, 2025 11:25 pm
Researchers at ReversingLabs have identified at least two machine-learning models on Hugging Face, a popular platform for community AI development, that link to malicious web shells and managed to evade detection through the use of “pickling.”
Pickle files are python-based modules that allow a developer to serialize and deserialize code. They’re commonly used by AI developers to store and build off ML models that have already been trained. Threat actors also take advantage of the fact that pickle files can execute python code from untrusted sources during the deserialization process.
ReversingLabs identified a pickling method used in two ML models available on Hugging Face’s platform that contained malicious code, deploying web shells that linked to a hardcoded IP address.
[...]
Hugging Face platform continues to be plagued by vulnerable ‘pickles’
Pickle files are python-based modules that allow a developer to serialize and deserialize code. They’re commonly used by AI developers to store and build off ML models that have already been trained. Threat actors also take advantage of the fact that pickle files can execute python code from untrusted sources during the deserialization process.
ReversingLabs identified a pickling method used in two ML models available on Hugging Face’s platform that contained malicious code, deploying web shells that linked to a hardcoded IP address.
[...]
Hugging Face platform continues to be plagued by vulnerable ‘pickles’