You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

YAML Metadata Warning: empty or missing yaml metadata in repo card (https://huggingface.co/docs/hub/model-cards#model-card-metadata)

Joblib Scanner Evasion PoC

WARNING: This repository contains proof-of-concept model files for security research purposes only. Do NOT load these files in production environments.

Purpose

This repository demonstrates that malicious pickle payloads inside compressed .joblib files bypass both PickleScan and ModelScan security scanners.

Files

File	Compression	Scanner Result	Actually Malicious?
`safe_model.joblib`	lzma	No issues (correct)	No
`malicious_uncompressed.joblib`	None	Detected (correct)	Yes
`malicious_lzma.joblib`	lzma	No issues (FALSE NEGATIVE)	Yes
`malicious_bz2.joblib`	bz2	No issues (FALSE NEGATIVE)	Yes
`malicious_zlib.joblib`	zlib	No issues (FALSE NEGATIVE)	Yes
`malicious_gzip.joblib`	gzip	No issues (FALSE NEGATIVE)	Yes

Payload

All malicious files contain the same harmless PoC payload: os.system('echo SCANNER_EVASION_POC').

Reproduction

import joblib

# This file is reported as CLEAN by scanners, but executes code:
model = joblib.load("malicious_lzma.joblib")
# Output: SCANNER_EVASION_POC

Affected Scanners

PickleScan 1.0.3
ModelScan 0.8.8 (ProtectAI)

Disclosure

This is a responsible disclosure PoC for huntr.com MFV program.

Downloads last month: -; Downloads are not tracked for this model. How to track

Inference Providers NEW

This model isn't deployed by any Inference Provider. 🙋 Ask for provider support