nullifAI
Two malicious pickles were discovered by ReversingLab in February, 2025. Pickle is a commonly and popularly used to serialize and deserialize ML model data, supported in platforms such as Hugging Face. The malware contained a reverse shell that connected to a hardcoded IP address. Note that even broken Pickle files could execute malicious code on a developer system.
Impact
- HuggingFace removed the malicious models within 24 hours of disclosure.
- The Picklescan tool was improved to identify threats in “broken” Pickle files.
Type of compromise
The attack leveraged the trust of models available in Hugging Face. Hence, it leverages Trust and Signing.