























Attackers upload a malicious .keras model to a public repository (e.g., Hugging Face, Kaggle).
When a victim downloads and loads the model, SSH private keys or local configuration files may be exposed.
Attack vector:
.keras model file to the public repositoryStringLookup layer is configured with vocabulary="/home/victim/.ssh/id_rsa"Potential impact: complete compromise of victim's SSH access to servers, code repositories, and cloud infrastructure. Attackers can pivot to active intrusion: clone private repos, inject backdoors or malicious commits into CI/CD, execute code in production, and move laterally.
ML engineers deploying models in AWS/GCP/Azure environments with instance metadata services. Malicious model references metadata endpoints (e.g., http://169.254.169.254/) so loading it in a cloud VM/container returns IAM credentials.
Attack vector:
vocabulary="http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name"get_vocabulary()Potential impact: Full access to cloud resources under the compromised role. Attackers can take over infrastructure, exfiltrate data, deploy ransomware or crypto mining, erase logs, and pivot access across accounts.
Attacker publishes or poisons a popular pre-trained model that references local credential files (.gitconfig, .netrc) so CI/CD or developer machines leak tokens when the model is loaded. Development teams using third-party pre-trained models for transfer learning may import these models and expose Git tokens, API keys, and source code.
Attack vector:
StringLookup with vocabulary="file:///home/developer/.gitconfig" or "file:///home/developer/.netrc"Potential impact: Stolen dev credentials enable source code/IP theft and insertion of malicious code and backdoors into builds and signed artifacts. Backdoor releases can propagate downstream to customers and partners, triggering widespread compromise.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。