You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

Picklescan + ModelScan Bypass PoC

This repository contains a proof-of-concept malicious .joblib model file that bypasses both picklescan and ModelScan while achieving arbitrary code execution.

Bypass Technique

Chain: marshal.loads() → types.FunctionType() → function() → RCE

Scanner	Version	Result
picklescan	1.0.3	`Infected: 0, Dangerous: 0` (only "Suspicious")
ModelScan	0.8.7	`No issues found!`

Root Cause

marshal module is NOT in picklescan's _unsafe_globals blocklist
types.FunctionType is NOT blocked (only types.CodeType is)
marshal.loads() reconstructs code objects — functionally equivalent to blocked types.CodeType()

File

malicious_model.joblib — Handcrafted pickle bytecode that executes id > /tmp/picklescan_bypass_proof.txt on load

Verification

# Scan (passes both scanners)
picklescan -p malicious_model.joblib -g
modelscan -p malicious_model.joblib

# Load (triggers RCE)
python -c "import pickle; pickle.loads(open('malicious_model.joblib','rb').read())"

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support