Roughly 100 malicious models found on Hugging Face

What happened

JFrog Security Research found roughly 100 models on Hugging Face carrying real malicious payloads, mostly PyTorch pickle files abusing the __reduce__ method to execute code on load, including one that opened a reverse shell to a hardcoded address. Keras Lambda layers and runpy were also used to evade scanning.

Root cause

Model file formats such as pickle can run arbitrary code during deserialization, and a public model registry let anyone upload weaponized models that execute the moment a data scientist loads them.

Fix / outcome

Hugging Face removed flagged models and continues to expand malware scanning. Load untrusted models only in sandboxed environments and prefer the safetensors format.

Sources