YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
NumPy NPY Scanner Bypass PoC
Vulnerability
Malicious .npy file achieves Arbitrary Code Execution via np.load(allow_pickle=True),
while bypassing both picklescan 1.0.4 and modelscan 0.8.8.
Technique
NPY files with dtype=object contain pickled data. Our payload uses
marshal.loads + types.FunctionType + importlib.import_module chain.
All three globals are Suspicious (not Dangerous) in picklescan,
and absent from modelscan unsafe_globals.
Scanner Results
- picklescan 1.0.4: 0 dangerous globals
- modelscan 0.8.8: No issues found
Reproduction
import numpy as np
np.load('malicious_model.npy', allow_pickle=True) # ACE
Versions: numpy 2.4.2, picklescan 1.0.4, modelscan 0.8.8, Python 3.12
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support