Malicious Code Execution via Poisoned PyTorch Models on Hugging Face Hub
Overview
Security researchers demonstrated a supply chain attack vector targeting developers using models from the Hugging Face Hub. The attack leverages the inherent risk of deserializing Python objects using `pickle`, which is the underlying mechanism for loading older PyTorch models (`.pt`, `.bin` files). An attacker can craft a malicious model file containing a pickled Python object that, upon deserialization via `torch.load()`, executes arbitrary code. The researchers uploaded several seemingly benign models to the Hub, which passed initial automated scans. When a victim developer downloaded and loaded one of these models using a standard `transformers` pipeline or a simple `torch.load()` call, the embedded payload executed on their machine. This could be used to steal API keys, environment variables, SSH keys, or install persistent backdoors. While the `safetensors` format is designed to mitigate this specific deserialization risk, the attack can still be effective if the `config.json` file in the model repository is modified to set `auto_map` with a malicious class name, tricking the `transformers` library's trust mechanism. This incident highlighted the critical need for model scanning, code signing, and cautious use of community-contributed models, treating them as untrusted executable code.
Affected Systems
Testing Guide
1. **Do not test with a malicious model on a production system.** 2. In a secure, isolated environment, create a simple Python script to load a known malicious PoC model file (if available from security researchers). 3. Use a tool like `torch-scan` or manually inspect the pickle contents of a `.bin` file to identify suspicious opcodes like `REDUCE` or `STACK_GLOBAL`. 4. When loading the model with `torch.load()`, monitor for unexpected network connections, file system access, or process creation using system monitoring tools. 5. Confirm if your model loading scripts for community models have `trust_remote_code=True`. If so, you are at high risk.
Mitigation Steps
1. **Use SafeTensors:** Prioritize loading models exclusively in the `.safetensors` format. Avoid using `.pt`, `.pth`, or `.bin` files from untrusted sources. 2. **Enable Remote Code Scan:** When loading models with the `transformers` library, explicitly set `trust_remote_code=False` unless you have manually audited the model's source code. 3. **Scan Models:** Use model scanning tools like `safetensors-check` or other commercial solutions to inspect model files for malicious payloads before loading them. 4. **Vet Sources:** Only use models from trusted, verified creators on the Hugging Face Hub or other platforms. 5. **Restrict Permissions:** Run model loading and inference processes in low-privilege, sandboxed environments to limit the potential impact of a compromise.
Patch Details
This is an ecosystem-level risk rather than a specific library bug. Mitigation relies on user awareness and best practices. Hugging Face has improved scanning and user warnings.