--- license: mit --- # Keras CategoryEncoding count-mode trigger backdoor PoC This repository contains a benign security research proof-of-concept for the Huntr Model File Vulnerability program. It demonstrates a Keras Native `.keras` model whose `config.json` changes `keras.layers.CategoryEncoding.output_mode` from `multi_hot` to `count`. The model loads with `keras.saving.load_model(..., safe_mode=True)`. Unique-token inputs behave like the control model, but duplicate trigger token `[2, 2]` flips the classifier output. Files: - `control_categoryencoding_multihot.keras` - `malicious_categoryencoding_count.keras` - `reproduce.py` - `requirements.txt` Reproduction: ```bash python -m venv /tmp/keras-categoryencoding-count-poc-venv . /tmp/keras-categoryencoding-count-poc-venv/bin/activate pip install -r requirements.txt python reproduce.py \ control_categoryencoding_multihot.keras \ malicious_categoryencoding_count.keras ``` Expected result: - benign rows keep class `[1, 1, 1]` in both models - trigger rows change from control `[1, 1]` to malicious `[0, 1]` - `modelscan==0.8.8` reports `No issues found!` for the malicious `.keras` Public repo: - https://huggingface.co/hacnho/keras-categoryencoding-count-trigger-poc