Malicious Code Execution in Hugging Face Transformers via Poisoned Model Pickle Serialization
Overview
A supply chain attack vector was identified affecting the Hugging Face Transformers library and ecosystem. Threat actors were observed compromising popular model repositories on the Hugging Face Hub, uploading malicious versions of model weights. The attack specifically targets models that use Python's `pickle` format for serialization, commonly found in files like `pytorch_model.bin`. The `torch.load()` function, used internally by the Transformers `from_pretrained()` method, can execute arbitrary code when deserializing a maliciously crafted pickle file. The attackers uploaded a seemingly legitimate update to a model, but the pickle file was modified to execute a payload upon loading. This payload could range from installing cryptominers to exfiltrating sensitive data, such as SSH keys or cloud credentials, from the developer's or production machine. Since `from_pretrained()` is a ubiquitous command in the ML ecosystem, this vulnerability has a massive potential impact, leading to widespread compromise of AI development environments and production MLOps pipelines.
Affected Systems
Testing Guide
1. Check your projects for any `from_pretrained()` calls that do not specify a fixed model revision (commit hash). 2. Use a model scanning tool on the models in your local cache (`~/.cache/huggingface/hub`). 3. Attempt to load a known-malicious proof-of-concept model (provided by security researchers) in a sandboxed environment and monitor for unexpected network connections or file system activity.
Mitigation Steps
1. Upgrade the `transformers` library to version `4.45.0` or later, which defaults to using the safer `safetensors` format and performs additional checks. 2. Always pin model versions to a specific commit hash instead of using the `main` branch: `AutoModel.from_pretrained('model/name', revision='specific_commit_hash')`. 3. Before loading a new model, use model scanning tools like `safetensors` converters or other third-party scanners to inspect its contents for unsafe modules. 4. Enable the `safe_serialization=True` argument in `from_pretrained()` to enforce loading only `safetensors` files, which are not vulnerable to arbitrary code execution.
Patch Details
Transformers version 4.45.0 now defaults to loading `.safetensors` files and will raise a warning when falling back to pickle files.