Skip to content

Hugging Face AI models compromised by new ‘nullifAI’ attack

  • by
  • 3 min read

A novel attack method, dubbed ‘nullifAI,’ is used by threat actors to exploit vulnerabilities in AI models shared on Hugging Face. This attack uses insecure Python Pickle serialisation to execute harmful code on unsuspecting developer systems.

Hugging Face has become a cornerstone of AI development, enabling researchers and developers to collaborate on ML models. However, its open nature also presents security challenges. Researchers recently identified two PyTorch models on the platform containing malicious code that had bypassed Hugging Face’s existing security mechanisms.

The attack method exploits Pickle files, a Python module used to serialise and deserialise ML model data. While the Pickle is widely adopted due to its efficiency and ease of use, it is inherently insecure, as it allows embedded Python code to execute upon deserialisation.

Researchers found that this vulnerability is well-documented, even in Hugging Face’s documentation. However, it continues to pose risks due to its prevalence in AI.

These two specific models used the 7z format, preventing Hugging Face’s security tool, Picklescan, from properly scanning them. Pickelscan operates on a blacklist approach — flagging known dangerous functions — but this technique is not comprehensive enough to detect novel threats. Another problem with Picklescan is that it cannot analyse the ‘broken’ Pickle field, which allowed the malware to remain undetected.

This is an image of huggingface pickel reversinglabs ss1
Malicious Hugging Face model. | Source: ReversingLabs

Unlike standard antivirus tools, Pickelscan validates a Pickle file before scanning for threats. However, Pickle deserialisation does not follow this approach; it executes code in real time, meaning malware can run even if the file is later deemed invalid.

Researchers’ investigation demonstrated that slightly modifying a Pickel file, such as inserting an extra opcode, could cause Pickelscan to fail its analysis while still allowing the malware to execute.

Following the responsible disclosure on January 20, Hugging Face swiftly removed the malicious models within 24 hours. The company also updated Pickelscan to improve its detection capabilities for broken Pickel files. However, as researchers point out, the fundamental risks remain the same.

Researchers urge AI developers to avoid pickle-based serialisation, running ML models in isolated environments, using security tools that go beyond blacklist-based scanning, and verifying the source of ML models before integrating them into production systems.

In the News: Nearly 1000 malicious apps found targeting Indian Android users

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of cyber security hacked breach

Case study reveals Chinese hackers spent over 300 days in US electricity grid

This is an image of iphone with apple logo

Match Group, AIDF denied Apple’s confidential antitrust data

Photo: ascannio / shutterstock. Com

X’s outage can’t be traced by researchers and Musk alike

This is an image of malware featured security

DPRK’s KoSpy spyware targets SK, India, Russia, and Middle East

This is an image of honey featured 1

Google updates Chrome Extension policy after Honey scam

This is an image of apple featured 220923

Apple patches critical zero-day exploit targeting iPhones and iPads

>