Flax msgpack_restore trigger backdoor PoC

This repository is a benign security research proof of concept for a Huntr Model File Vulnerability submission.

It demonstrates a Flax .flax msgpack parameter file that carries a trigger-specific backdoor for a fixed Flax model architecture. The malicious parameter file loads with flax.serialization.msgpack_restore(...) and changes only inputs matching:

x[:, 0] > 900 and x[:, 1] < -900

modelscan 0.8.8 reports No issues found because the .flax file is skipped.

Files

  • control_tiny_trigger_net.flax: control Flax msgpack params.
  • malicious_tiny_trigger_net.flax: malicious Flax msgpack params with trigger detector weights.
  • reproduce.py: verifier for load, inference, and scanner posture.

Tested Versions

  • Flax: 0.12.7
  • JAX: 0.10.2
  • Scanner: modelscan 0.8.8
  • Target format label: Flax (.flax) - Google

Reproduction

python -m venv /tmp/flax-msgpack-restore-poc-venv
. /tmp/flax-msgpack-restore-poc-venv/bin/activate
pip install 'flax' 'jax' 'modelscan==0.8.8'

curl -L -o control_tiny_trigger_net.flax \
  https://huggingface.co/hacnho/flax-msgpack-restore-trigger-poc/resolve/main/control_tiny_trigger_net.flax
curl -L -o malicious_tiny_trigger_net.flax \
  https://huggingface.co/hacnho/flax-msgpack-restore-trigger-poc/resolve/main/malicious_tiny_trigger_net.flax
curl -L -o reproduce.py \
  https://huggingface.co/hacnho/flax-msgpack-restore-trigger-poc/resolve/main/reproduce.py

python reproduce.py control_tiny_trigger_net.flax malicious_tiny_trigger_net.flax

Expected JSON fields:

benign_classes_match: true
control_trigger_classes: [1, 1]
malicious_trigger_classes: [0, 1]
trigger_flips_first_row: true
modelscan.malicious.no_issues_found: true

This is not a parser crash or DoS. It is a scanner-clean, trigger-specific output manipulation embedded in a Flax parameter file.

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support