Malicious Models on Hugging Face Hub Achieve RCE via Unsafe Deserialization
Overview
A widespread supply chain attack was identified where multiple models on the Hugging Face Hub were trojanized to execute malicious code on developer machines. The attack leveraged the inherent insecurity of Python's `pickle` format, which is the underlying serialization mechanism for model files in the `pytorch_model.bin` format. Attackers uploaded seemingly legitimate fine-tuned versions of popular models, but with a malicious payload embedded in the pickle stream. When a developer or MLOps pipeline loaded one of these models using the standard `torch.load()` or `transformers.AutoModel.from_pretrained()` functions, the deserialization process would trigger a `__reduce__` opcode, leading to arbitrary code execution. Payloads observed in the wild included credential stealers that searched for AWS keys, SSH keys, and Kubernetes configuration files, exfiltrating them to an attacker-controlled server. This incident exposed the significant risk of blindly trusting community-contributed AI artifacts. In response, Hugging Face enhanced its security scanning to detect malicious pickle payloads and strongly promoted the use of the `safetensors` format, which is not vulnerable to arbitrary code execution.
Affected Systems
Testing Guide
1. Download a model file in `.bin` or `.pt` format that you wish to test. 2. Install `picklescan` via `pip install picklescan`. 3. Run the scanner on the model file: `picklescan -p /path/to/your/model.bin`. 4. If the tool reports any findings, especially `global-import` of modules like `os`, `subprocess`, or `requests`, the model should be considered malicious and not be loaded.
Mitigation Steps
1. **Prioritize SafeTensors:** Exclusively use models in the `.safetensors` format whenever possible. Set `use_safetensors=True` when loading models in the Transformers library. 2. **Scan Models:** Before loading any model using Pickle format (`.bin`, `.pt`), scan it with a trusted tool like `picklescan` or `huggle` to detect malicious opcodes. 3. **Isolate Loading:** Load untrusted models in a sandboxed, network-isolated environment to limit the potential impact of a compromise. 4. **Audit Dependencies:** Regularly audit your project's model dependencies and only use models from trusted, verified organizations.
Patch Details
This is a procedural vulnerability. Hugging Face implemented server-side scanning and UI warnings. The community is shifting to the `safetensors` format.