Hugging Face platform continues to be plagued by vulnerable \u2018pickles\u2019 | CyberScoop<\/title> <meta name=\"description\" content=\"A widely used python module for machine-learning developers can be loaded with malware and bypass detection measures.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Hugging Face platform continues to be plagued by vulnerable \u2018pickles\u2019\"> <meta property=\"og:description\" content=\"A widely used python module for machine-learning developers can be loaded with malware and bypass detection measures.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-02-06T16:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2025-02-06T16:34:03+00:00\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles-2.jpg\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1736472017g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1738186663g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=811a4fffdf449a472805\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83414\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83414\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fhugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fhugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83414 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.668989547038\">\n<div class=\"single-article__header-content\" readability=\"34.316883116883\">\n<p> A widely used python module for machine-learning developers can be loaded with malware and bypass detection measures. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83414\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"427\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles.jpg?resize=640%2C427&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles-2.jpg 7075w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles-2.jpg?resize=768,513 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles-2.jpg?resize=1536,1025 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles-2.jpg?resize=2048,1367 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles-2.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles-2.jpg?resize=1011,675 1011w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles-2.jpg?resize=1263,843 1263w\" sizes=\"(max-width: 1011px) 100vw, 1011px\"><figcaption> Pickle files – python-based modules that allow a developer to serialize and deserialize code – are commonly used by legitimate AI developers and threat actors.<br \/>\n(Image Source: Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"40.108695652174\"><body readability=\"80.780206435944\"><\/p>\n<p>Researchers at ReversingLabs have identified at least two machine-learning models on Hugging Face, a popular platform for community AI development, that link to malicious web shells and managed to evade detection through the use of \u201cpickling.\u201d<\/p>\n<p>Pickle files are python-based modules that allow a developer to serialize and deserialize code. They\u2019re commonly used by AI developers to store and build off ML models that have already been trained. Threat actors also take advantage of the fact that pickle files can execute python code from untrusted sources during the deserialization process.<\/p>\n<p>ReversingLabs identified a pickling method used in two ML models available on Hugging Face\u2019s platform that contained malicious code, deploying web shells that linked to a hardcoded IP address.<\/p>\n<p>Karlo Zanki, a reverse engineer at ReversingLabs, wrote that the two packages \u201clook more like a proof-of-concept model for testing a novel attack method\u201d than evidence of an active attack. However, since platforms like Hugging Face are built on community sharing of data and pickle files are one of the easiest ways to share information, Zanki said the attack vector was a \u201clegitimate\u201d threat to AI developers.<\/p>\n<p>Hugging Face, for its part, is aware of the dangers from pickle files and even warns developers about the problem in its <a href=\"https:\/\/huggingface.co\/docs\/hub\/en\/security-pickle\">documentation<\/a>. The company also deploys a tool \u2014 called Picklescan \u2014 that is designed to identify malicious pickle files on its platform.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThe Picklescan tool is based on a blacklist of \u2018dangerous\u2019 functions. If such functions are detected inside a Pickle file, Picklescan marks them as unsafe,\u201d Zanki wrote. While blacklists are basic security features, they\u2019re \u201cnot scalable or adaptable as known threats morph \u2014 and new threats emerge.\u201d <\/p>\n<p>The two models identified by ReversingLabs, stored in PyTorch, managed to skirt detection by the tool, likely because they were compressed using a different format. Picklescan also stumbles when attempting to detect malicious code in broken pickle files.<\/p>\n<p>The findings, Zanki said, underscore how \u201cpickle file deserialization works in a different way from Pickle security scanning tools.\u201d<\/p>\n<p>\u201cPicklescan, for example, first validates Pickle files and, if they are validated, performs security scanning,\u201d he said. \u201cPickle deserialization, however, works like an interpreter, interpreting opcodes as they are read \u2014 but without first conducting a comprehensive scan to determine if the file is valid, or whether it is corrupted at some later point in the stream.\u201d <\/p>\n<p>Zanki said the issue was reported to Hugging Face on Jan. 20, the malicious models were quickly pulled from the platform and <a href=\"https:\/\/github.com\/mmaitre314\/picklescan\/pull\/33\">changes<\/a> were made to Picklescan to better identify malicious code in broken pickle files.<\/p>\n<p>As the AI boom has led to a surge of community-made machine- learning models, pickle-related vulnerabilities continue to plague developers. Researchers at <a href=\"https:\/\/www.reversinglabs.com\/blog\/spectra-assure-malware-detection-in-ml-and-llm-models\">ReversingLabs<\/a>, <a href=\"https:\/\/www.wiz.io\/blog\/wiz-and-hugging-face-address-risks-to-ai-infrastructure\">Wiz<\/a>, <a href=\"https:\/\/checkmarx.com\/blog\/free-hugs-what-to-be-wary-of-in-hugging-face-part-4\/\">Checkmarx<\/a> and other cybersecurity firms have identified numerous methods and examples of abusing pickle files to deliver malware to unsuspecting developers on open platforms like Hugging Face.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>To read more about this vulnerability, including indicators of compromise, read the full ReversingLabs research <a href=\"https:\/\/www.reversinglabs.com\/rl-identifies-malware-ml-model-hosted-on-hugging-face\">here<\/a>.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.7399617590822\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hugging Face platform continues to be plagued by vulnerable \u2018pickles\u2019<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[235,78,3683,310,49,288,1],"tags":[236,86,3684,311,57,294,325],"class_list":["post-7226","post","type-post","status-publish","format-standard","hentry","category-ai","category-cybersecurity","category-reversinglabs","category-technology","category-threat-intelligence","category-threats","category-uncategorized","tag-ai","tag-cybersecurity","tag-reversinglabs","tag-technology","tag-threat-intelligence","tag-threats","tag-uncategorized"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ai\/\" rel=\"category tag\">AI<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/reversinglabs\/\" rel=\"category tag\">ReversingLabs<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/technology\/\" rel=\"category tag\">Technology<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threat-intelligence\/\" rel=\"category tag\">Threat Intelligence<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7226"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7226\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7226,"date":"2025-02-06T10:00:00","date_gmt":"2025-02-06T16:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83414"},"modified":"2025-02-06T10:00:00","modified_gmt":"2025-02-06T16:00:00","slug":"hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/02\/06\/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles\/","title":{"rendered":"Hugging Face platform continues to be plagued by vulnerable \u2018pickles\u2019"},"content":{"rendered":"