| # Pickle scanner bypass via Tensorizer TensorSerializer.write_tensor writes attacker-controlled tensorizer files while scanners report clean | |
| This repository contains a malicious pickle that bypasses both `picklescan==1.0.4` and `modelscan==0.8.8`, then writes an attacker-controlled model artifact during normal `pickle.load()`. | |
| The pickle uses raw `STACK_GLOBAL` opcodes for: | |
| ```text | |
| tensorizer.serialization TensorSerializer.write_tensor | |
| ``` | |
| It does not use `builtins.getattr`, `os`, `subprocess`, `eval`, or any global currently blocked by picklescan 1.0.4. | |
| ## Reproduce | |
| ```bash | |
| python3 -m venv /tmp/tensorizer-write-tensor-scanner-bypass-venv | |
| /tmp/tensorizer-write-tensor-scanner-bypass-venv/bin/python -m pip install --upgrade pip | |
| /tmp/tensorizer-write-tensor-scanner-bypass-venv/bin/python -m pip install -r requirements.txt | |
| /tmp/tensorizer-write-tensor-scanner-bypass-venv/bin/python reproduce_tensorizer_write_tensor_scanner_bypass.py | |
| ``` | |
| Expected output includes: | |
| ```text | |
| Infected files: 0 | |
| Dangerous globals: 0 | |
| No issues found! | |
| REPRO_OK=True | |
| ``` | |
| Marker path(s): | |
| ```text | |
| /tmp/mfv_tensorizer_write_tensor_scanner_bypass_20260624.tensors | |
| ``` | |
| Marker text: | |
| ```text | |
| MFV_TENSORIZER_WRITE_TENSOR_SCANNER_BYPASS_20260624 | |
| ``` | |