⚠️ Security PoC — numpy.distutils pickle gadget (scanner denylist gap)
PoC for a pickle/joblib scanner denylist coverage gap, not a real model.
evil_numpy_distutils.joblib uses numpy.distutils.cpuinfo.getoutput (→ /bin/sh -c) as a
__reduce__ gadget. It achieves arbitrary command execution on joblib.load() while
picklescan, modelscan, and modelaudit (ProtectAI's current scanner) all fail to flag it —
they denylist numpy.f2py.crackfortran but not the numpy.distutils.* command-exec family.
Harmless payload
Runs only id > /tmp/H004_PWNED (writes a marker). No damage / network / exfiltration.
Reachability: numpy < 2.3 (numpy.distutils removed in numpy 2.3); confirmed on numpy 1.26.4.
This repo is deleted after triage.
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support