YAML Metadata Warning:empty or missing yaml metadata in repo card
Check out the documentation for more information.
Pickle scanner bypass via TensorFlow GFile.write writes attacker-controlled files while scanners report clean
This repository contains a malicious pickle that bypasses both picklescan==1.0.4 and modelscan==0.8.8, then writes an attacker-controlled model artifact during normal pickle.load().
The pickle uses raw STACK_GLOBAL opcodes for:
tensorflow.io.gfile GFile.write
It does not use builtins.getattr, os, subprocess, eval, or any global currently blocked by picklescan 1.0.4.
Reproduce
python3 -m venv /tmp/tensorflow-gfile-write-scanner-bypass-venv
/tmp/tensorflow-gfile-write-scanner-bypass-venv/bin/python -m pip install --upgrade pip
/tmp/tensorflow-gfile-write-scanner-bypass-venv/bin/python -m pip install -r requirements.txt
/tmp/tensorflow-gfile-write-scanner-bypass-venv/bin/python reproduce_tensorflow_gfile_write_scanner_bypass.py
Expected output includes:
Infected files: 0
Dangerous globals: 0
No issues found!
REPRO_OK=True
Marker path(s):
/tmp/mfv_tensorflow_gfile_write_scanner_bypass_20260624.txt
Marker text:
MFV_TENSORFLOW_GFILE_WRITE_SCANNER_BYPASS_20260624
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support