The AI supply-chain problem is no longer only about poisoned Python packages.
It is about the file called model.pt.
That sounds like a storage detail. It is not. Model artifacts now move through enterprise systems with the trust posture once reserved for static data. Teams download them from hubs, cache them, fine-tune them, pass them into inference services, and treat a green scanner badge as operational permission.
The uncomfortable part is simple: some model files are not inert.
Hugging Face’s own security documentation says pickle is widely used in machine learning and is the default format for PyTorch model weights. It also says dangerous arbitrary-code-execution attacks can happen when a user loads a pickle file, which is why Hugging Face recommends trusted sources, signed commits, non-pickle formats where possible, and Safetensors as a simpler weights format (Hugging Face).
That turns model governance into executable-file governance. The model registry is not just a catalog. It is a software distribution channel with a nicer thumbnail.
The Problem
Most companies still separate “code” and “model” in their heads.
Code goes through dependency review, SBOM tooling, vulnerability scans, signature checks, build isolation, and production approval. Models often take a softer path: source reputation, benchmark notes, license review, maybe a malware scan, then into a notebook or inference stack.
That split made more sense when models were moved around by small research teams. It makes less sense when model hubs have become the default procurement shelf for open weights, adapters, embeddings, fine-tunes, datasets and demo repos.
The risk is not theoretical. Pickle is powerful because it can serialize Python objects. It is dangerous for the same reason. Hugging Face explains that a pickle can execute code during deserialization and that its Hub scanner reads pickle opcodes without executing them. The current scanner stack includes ClamAV and a pickle-import scan, but Hugging Face also warns the approach is not foolproof (Hugging Face).
That caveat matters. In normal software supply-chain security, “not foolproof” is a familiar phrase. In model operations, it is still being priced in.
The Analysis
The first shift is that model files are becoming dependency objects.
Developers do not load them once. They automate them. A model artifact can enter CI, a training job, a feature branch, a notebook, a vector pipeline, a benchmark harness or an internal inference service. It can be pulled by a script that nobody has reviewed since a hackathon. That is how software gets real. It is also how trust boundaries get bored and walk away.
ReversingLabs’ 2026 Software Supply Chain Security Report release says detections of malicious open-source packages rose 73% in 2025 and that attackers also targeted AI development pipelines. Its specific AI example is Hugging Face abuse through NullifAI, a technique that used the Pickle model-file format to bypass platform security processes (ReversingLabs).
That is the right framing. The attacker is not only exploiting a vulnerable library. The attacker is exploiting the platform workflow around trusted artifacts.
The second shift is that scanners are necessary but insufficient.
Hugging Face has not ignored the problem. It documents its pickle scans. It also says public repository files are scanned by Protect AI’s Guardian, which catches pickle, Keras and other model-file exploits, and explains that some serialization formats can expose arbitrary-code-execution paths (Hugging Face).
That is good infrastructure. It is not a complete control plane.
A public Hugging Face research repository called MEMOWNED describes a proof of concept for a pickle scanner bypass. The page says a generated model.pt payload can pass modelscan and picklescan as clean, then execute when a victim loads it. The stated root cause is a mismatch between scanner behavior and Python’s pickle runtime (dyngnosis).
Treat that as defensive research, not a recipe. The point is not the exploit mechanics. The point is that “scanner says clean” cannot be the end of the risk decision when the runtime semantics are richer than the scanner model.
The third shift is prevalence. Pickle is not a weird legacy corner.
PickleBall, an academic system for safer loading of pickle-based machine-learning models, says model repositories such as Hugging Face can deliver malware through compromised models. Its abstract reports that 44.9% of popular Hugging Face models still used the insecure pickle format in its dataset, and that model scanners have both false positives and false negatives (arXiv).
That figure is not a live market share counter. It is a research dataset. Still, it explains why this is not solved by telling everyone to “just use Safetensors” and getting back to lunch. Legacy formats, tooling defaults and model compatibility all create drag.
The useful enterprise question is not “is Hugging Face safe?” That is too broad. The better question is: what happens inside your company after a model artifact leaves the hub?
If the answer is “a developer loads it locally and experiments,” the blast radius is one workstation plus whatever credentials live there. If the answer is “an automated workflow pulls it into a privileged training or inference environment,” the model file has become part of the production software supply chain.
At that point, it needs normal supply-chain treatment.
Provenance should be explicit. Which organization published the artifact? Was the commit signed? Was it mirrored internally? Was the hash verified against an allowlist? Was it converted to a safer format? Is the loader running with network access, secrets access or write access it does not need?
The boring controls are the controls.
The Implications
For CISOs, the answer is not a blanket ban on external models. That will fail quietly. Teams will keep downloading what they need, just with worse logging.
The better pattern is a model-artifact intake path. External models should land in quarantine first. Scans and format checks should run there. Hashes, publisher identity, license metadata and risk notes should be recorded there. Unsafe formats should require explicit exception. Production loaders should default to least privilege and no ambient secrets.
For platform teams, this is an internal registry problem. The company should not have fifty notebooks pulling arbitrary model files directly from the public internet. It should have a curated mirror with approval metadata and revocation. That sounds bureaucratic until the first model artifact executes code in a GPU box with cloud credentials. Then it sounds like Tuesday.
For model hubs, the incentives point toward richer trust signals. Scanner output is one layer. Signed commits, maintainer reputation, artifact format, reproducible conversion, provenance attestations, and explicit warnings about dangerous loaders are part of the same surface. The user interface matters because developers make security decisions at download speed.
For AI buyers, the procurement question changes. A vendor saying “we use open models” is not enough. Which models? From where? In what format? Loaded how? With what runtime permissions? Can the vendor revoke a compromised artifact fast? Can it prove the artifact running in production is the one security reviewed?
The supply-chain lesson from open source was painful and obvious: dependencies are code, whether or not procurement wants to call them that.
AI is repeating the lesson with a different file extension.
Model weights are becoming operational assets. Some are also executable risk. Security teams should treat that as the next dependency class.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.