AI Supply Chain Security: Hugging Face Malicious ML Models – NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.

Keypoints

• NSFOCUS and JFrog researchers identify malicious Hugging Face ML models capable of code execution when loaded, enabling attacker control and backdoor persistence.
• At least 100 malicious AI model instances were found on Hugging Face, including baller423/goober2, which can directly execute code and provide persistent access.
• Approximately 95% of malicious models are PyTorch-based, with the remaining 5% using TensorFlow/Keras, exploiting serialization to trigger code execution.
• In PyTorch, attackers embed malicious data in Pickle-based model files (data.pkl) that, when deserialized, execute arbitrary code via mechanisms like __reduce__.
• In TensorFlow/Keras, Lambda layers in models can execute code during deserialization (marshal.loads), enabling similar exploitation via HDF5 stored models.
• Hugging Face has introduced Safetensors to store model data securely and employs malware, pickle, and secret scanning, but these scans do not block downloads outright, only mark unsafe content.
• Mitigation emphasizes reviewing external models in MLOps pipelines and adding security checks, such as Python Pickle static analyzers, during model loading and deployment.