CRITICAL No Patch

Malicious AI Model on Hugging Face Hub Leads to Supply Chain Compromise

Discovered 22 July 2025 13 views

Overview

A security incident demonstrated a novel supply chain attack vector targeting AI developers. Researchers from JFrog uploaded a seemingly benign PyTorch model to the public Hugging Face Hub. However, the model's architecture files contained a malicious payload concealed within a pickled class. The attack relied on the `trust_remote_code=True` argument in the Hugging Face Transformers `from_pretrained()` method. When a developer loaded this model with the trusted code flag enabled, the `__reduce__` method of the malicious pickled object was executed, triggering the payload. This payload could perform various malicious actions, such as establishing a reverse shell back to an attacker's server, stealing credentials from the developer's environment (e.g., AWS keys, Hugging Face tokens), or scanning the local network. This incident served as a critical warning about the dangers of blindly trusting community-contributed models. It underscored that model weights and their accompanying code are executable artifacts and must be treated with the same level of scrutiny as any other third-party dependency. The attack requires social engineering to convince a user to trust the malicious model, but its impact is severe, leading to a full compromise of the developer's machine.

Affected Systems

Hugging Face TransformersPyTorchAny application loading models with `trust_remote_code=True`

Testing Guide

1. **Audit Codebase:** Search your projects for instances of `.from_pretrained(..., trust_remote_code=True)`. 2. **Review Model Sources:** For each instance found, identify the model being loaded (e.g., `author/model-name`). 3. **Examine Hugging Face Repository:** Navigate to the model's repository on Hugging Face Hub. Inspect the `config.json` and any associated Python files for suspicious code, such as network calls, file system operations, or obfuscated logic.

Mitigation Steps

1. **Disable Remote Code Execution:** Never use `trust_remote_code=True` when loading models from untrusted sources. Set it to `False` by default. 2. **Audit Models:** Before using a new model, manually inspect its source code files (`.py` files in the repository) for suspicious logic. 3. **Use Safe Serialization:** Prefer the `safetensors` format over `pickle` (`.pth` or `.bin` files), as `safetensors` does not allow for arbitrary code execution. 4. **Scan for Malice:** Use security scanners to analyze model repositories for known malicious patterns before downloading and loading them.

Patch Details

This is an attack pattern, not a software vulnerability. The `trust_remote_code` feature is working as intended but can be abused.

Sources

← Back to vulnerabilities