YAML Metadata Warning:empty or missing yaml metadata in repo card

Check out the documentation for more information.

Pickle scanner bypass via Tensorizer TensorSerializer.write_tensor writes attacker-controlled tensorizer files while scanners report clean

This repository contains a malicious pickle that bypasses both picklescan==1.0.4 and modelscan==0.8.8, then writes an attacker-controlled model artifact during normal pickle.load().

The pickle uses raw STACK_GLOBAL opcodes for:

tensorizer.serialization TensorSerializer.write_tensor

It does not use builtins.getattr, os, subprocess, eval, or any global currently blocked by picklescan 1.0.4.

Reproduce

python3 -m venv /tmp/tensorizer-write-tensor-scanner-bypass-venv
/tmp/tensorizer-write-tensor-scanner-bypass-venv/bin/python -m pip install --upgrade pip
/tmp/tensorizer-write-tensor-scanner-bypass-venv/bin/python -m pip install -r requirements.txt
/tmp/tensorizer-write-tensor-scanner-bypass-venv/bin/python reproduce_tensorizer_write_tensor_scanner_bypass.py

Expected output includes:

Infected files: 0
Dangerous globals: 0
No issues found!
REPRO_OK=True

Marker path(s):

/tmp/mfv_tensorizer_write_tensor_scanner_bypass_20260624.tensors

Marker text:

MFV_TENSORIZER_WRITE_TENSOR_SCANNER_BYPASS_20260624
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support