The Python ML ecosystem has a problem that its practitioners largely chose to accept: pickle. The default serialization format for PyTorch model weights is Python's pickle protocol, which can embed arbitrary Python bytecode. Load a malicious pickle file and you execute whatever code it contains — no exploit required, no vulnerability to patch. It's a feature being used as a weapon.
In 2024, security researchers scanning the Hugging Face Hub found over 100 model repositories containing pickle payloads designed to run code on the researcher's machine the moment the model was loaded. The payloads ranged from proof-of-concept demonstrations — a file write, a DNS ping — to full reverse shells. All of them were uploaded as legitimate-looking model checkpoints. Most had download counts in the thousands.
The npm Parallel
The ML ecosystem is repeating a history the JavaScript community lived through a decade ago. npm became a supply chain attack surface when it grew fast enough that no one could meaningfully audit every package. The solution — imperfect, incremental, still ongoing — involved package signing, automated malware scanning, maintainer verification, and eventually institutional pressure to adopt safer practices. Hugging Face Hub is at the early stage of that same trajectory.
The difference is that the blast radius of an ML supply chain compromise can be larger. A malicious npm package in a dev dependency might affect a few developers. A malicious model checkpoint in a popular base model repository could affect every organization that fine-tunes from it — potentially at training time, before any security review of the inference endpoint.
"Hugging Face is where you go to trust strangers with arbitrary code execution on your GPU cluster. The community just hasn't named it that way yet."
What Organizations Should Do Now
The safest format for model weights is safetensors — Hugging Face's own format, which explicitly cannot contain executable code. Organizations that load model weights in production should treat any model not available in safetensors format as untrusted, and loading it in a sandboxed, network-isolated environment if at all.
For organizations building ML pipelines, model provenance deserves the same treatment as software dependencies: pinned versions, integrity verification, and a preference for models from publishers whose identity is verifiable. The ML community is early enough in this arc that establishing good hygiene now costs less than remediation later. The window where most practitioners still find this surprising is closing.