Malicious models
2024 HuggingFace: 100+ models with malicious pickle payloads discovered. Pickle deserialization = code execution.
Advertisement
Pickle problem
PyTorch's default. Loading a .pkl file executes arbitrary Python. Use SafeTensors (safe binary format) instead.
Advertisement
Malicious pip
Typosquatting: 'tensorfow' vs 'tensorflow'. Stole crypto wallets in real attacks.
Dataset poisoning
Popular corpora corrupted at source. LAION-style scraping introduces unverified content. Split-view attacks.