Malicious models

2024 HuggingFace: 100+ models with malicious pickle payloads discovered. Pickle deserialization = code execution.

Advertisement

Pickle problem

PyTorch's default. Loading a .pkl file executes arbitrary Python. Use SafeTensors (safe binary format) instead.

Advertisement

Malicious pip

Typosquatting: 'tensorfow' vs 'tensorflow'. Stole crypto wallets in real attacks.

Dataset poisoning

Popular corpora corrupted at source. LAION-style scraping introduces unverified content. Split-view attacks.