惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Last Watchdog
The Last Watchdog
C
Cyber Attacks, Cyber Crime and Cyber Security
L
LINUX DO - 热门话题
G
GRAHAM CLULEY
S
Schneier on Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
S
SegmentFault 最新的问题
IT之家
IT之家
阮一峰的网络日志
阮一峰的网络日志
Recorded Future
Recorded Future
I
Intezer
云风的 BLOG
云风的 BLOG
博客园 - Franky
月光博客
月光博客
大猫的无限游戏
大猫的无限游戏
T
Tenable Blog
The Hacker News
The Hacker News
T
The Blog of Author Tim Ferriss
Attack and Defense Labs
Attack and Defense Labs
D
DataBreaches.Net
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
News and Events Feed by Topic
有赞技术团队
有赞技术团队
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
N
News and Events Feed by Topic
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Secure Thoughts
The Register - Security
The Register - Security
B
Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
The Cloudflare Blog
Webroot Blog
Webroot Blog
W
WeLiveSecurity
H
Heimdal Security Blog
博客园 - 三生石上(FineUI控件)
V
Vulnerabilities – Threatpost
G
Google Developers Blog
O
OpenAI News
V
V2EX
罗磊的独立博客
博客园_首页
N
News | PayPal Newsroom
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
TaoSecurity Blog
TaoSecurity Blog
Cloudbric
Cloudbric
H
Hacker News: Front Page
博客园 - 叶小钗
T
Tor Project blog
AI
AI

The Register - Security: Research

www.theregister.com Self-destructing Mistic backdoor linked to access broker selling corporate footholds to ransomware gangs PRC-linked spies hid inside medical and military networks for more than a year, snooping through Gmail and stealing data Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine ChatGPT blindly trusts browser content, turning the page into a payload Russia-linked threat group put ChatGPT to work from lure to payload Kids can bypass some age checks with a drawn-on mustache What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia ORNL builds more sensitive GPS interference detector Researchers find sabotage malware that may predate Stuxnet Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Anthropic, Google, Microsoft paid AI bug bounties – quietly Security reserchers tricked Apple Intelligence into cursing Don't open that WhatsApp message, Microsoft warns Security boffins harvest bumper crop of API keys from web Lightning-fast exploits mean patch fast, says Cisco Talos AI agents are 'gullible' and easy to turn into your minions Smooth criminals talking their way into cloud environments, Google says Snoops plant info-stealing malware on iPhones, Google warns Cybercrime up 245% since the start of the Iran war Rogue AI agents can work together to hack systems Fake applicants are sending security-killing malware AI agent hacked McKinsey chatbot for read-write access Kaspersky: No signs Coruna iPhone exploit kit made by US Perplexity Comet browser hole was exploitable via cal invite DEF CON hackers 'fed up with government,' Jake Braun says DEF CON hackers 'fed up with government,' Jake Braun says Ransomware payments cratered in 2025 – attacks did not Ransomware payments cratered in 2025 – attacks did not Claude's collaboration tools allowed remote code execution AI takes a swing at online anonymity Fake 'interview' repos lure Next.js devs into running secret-stealing malware Threat intelligence supply chain is full of weak links AI agents abound, unbound by rules or safety disclosures RAT disguised as an RMM costs crims $300 a month Android malware taps Gemini to navigate infected devices Posting AI caricatures on social media is bad for security Payroll pirates conned the help desk, stole employee’s pay Microsoft boffins show LLM safety can be trained away For the price of Netflix, crooks can rent AI crime ops For the price of Netflix, crooks can rent AI crime ops Fast Pair, loose security: Bluetooth accessories open to silent hijack Fast Pair flaw exposes Bluetooth devices to hijacking A simple CodeBuild flaw put every AWS environment at risk A simple CodeBuild flaw put every AWS environment at risk DeadLock ransomware uses smart contracts to evade defenders OpenAI patches déjà vu prompt injection vuln in ChatGPT Fake Windows BSODs check in at Europe's hotels to con staff into running malware Hotel staff tricked into installing malware by bogus BSODs Your car’s web browser may be on the road to cyber ruin China's Ink Dragon hides out in European government networks Browser 'privacy' extensions have eye on your AI, log all your chats NCSC finds cyber deception tools work, if deployed right 10K Docker images spray live cloud creds across the internet 'Botnets in physical form' are top humanoid robot risk 'Botnets in physical form' are top humanoid robot risk Apache warns of 10.0-rated flaw in Tika metadata toolkit Novel clickjacking attack relies on CSS and SVG 'Exploitation is imminent' of max-severity React bug Swiss government bans SaaS and cloud for sensitive info Scattered Lapsus$ Hunters stress testing Zendesk weak spots HashJack attack shows AI browsers can be fooled with '#' New ClickFix attacks use fake Windows Updates to swipe creds Years-old bugs in open source took out major clouds at risk LLM-generated malware improving, but not operational (yet) 3.5B WhatsApp users' info scooped through enumeration flaw 3.5B WhatsApp users' info scooped through enumeration flaw 50k more ASUS routers pwned by evolving Beijing-linked op Overconfidence is the new zero-day as teams stumble through cyber simulations LLM side-channel attack could allow snoops to guess topic Landfall spyware used in 0-day attacks on Samsung phones MIT Sloan shelves paper about AI-driven ransomware Security hole slams Chromium browsers - no fix yet OpenAI Atlas Browser tripped up by malformed URLs Devs of VS Code extensions are leaking secrets en masse Chatbots that butter you up make you worse at conflict Tile trackers leak unencrypted Bluetooth data, say boffins Beijing's RedNovember hacked critical US, global orgs Lazarus RAT code resurfaces in North Korean IT-worker scams Suspected Chinese spies broke into 'numerous' enterprises Deepfaked calls hit 44% of businesses in last year: Gartner Kaspersky: RevengeHotels returns with AI-coded malware Ruh-roh. DDR5 memory vulnerable to new Rowhammer attack HybridPetya ransomware dodges UEFI Secure Boot
Python libraries in AI/ML models can be poisoned w metadata
2026-01-14 · via The Register - Security: Research

Vulnerabilities in popular AI and ML Python libraries used in Hugging Face models with tens of millions of downloads allow remote attackers to hide malicious code in metadata. The code then executes automatically when a file containing the poisoned metadata is loaded.

The open source libraries - NeMo, Uni2TS, and FlexTok - were created by Nvidia, Salesforce, and Apple working with the Swiss Federal Institute of Technology's Visual Intelligence and Learning Lab (EPFL VILAB), respectively. 

All three libraries use Hydra, another Python library maintained by Meta and commonly used as a configuration management tool for machine learning projects. Specifically, the vulnerabilities involve Hydra's instantiate() function.

REG AD

Palo Alto Networks' Unit 42 spotted the security flaws and reported them to the libraries' maintainers, who have since issued security warnings, fixes and, in two cases, CVEs. While the threat hunters say they haven't seen any in-the-wild abuse of these vulnerabilities to date, "there is ample opportunity for attackers to leverage them."

REG AD

"It is common for developers to create their own variations of state-of-the-art models with different fine-tunings and quantizations, often from researchers unaffiliated with any reputable institution," Unit 42 malware research engineer Curtis Carmony wrote in a Tuesday analysis. "Attackers would just need to create a modification of an existing popular model, with either a real or claimed benefit, and then add malicious metadata."

Plus, Hugging Face doesn't make the metadata contents as easily accessible as it does with other files, nor does it flag files using its safetensors or NeMo file formats as potentially unsafe.

Models on Hugging Face use more than 100 different Python libraries, and almost 50 of these use Hydra. "While these formats on their own may be secure, there is a very large attack surface in the code that consumes them," Carmony wrote.

The Register reached out to Hugging Face along with the libraries' maintainers (Meta, Nvidia, Salesforce, and Apple), and only received one response. It came from a Salesforce spokesperson who told us: "We proactively remediated the issue in July 2025 and have no evidence of unauthorized access to customer data."

We will update this story if we hear back from any of the other companies.

Hydra

As mentioned earlier, the vulnerabilities have to do with the way the  NeMo, Uni2TS, and FlexTok use the hydra.utils.instantiate() function to load configurations from model metadata, which allows for remote code execution (RCE).

The creators or maintainers of these libraries appear to have overlooked the fact instantiate() doesn't just accept the name of classes to instantiate. It also takes the name of any callable and passes it the provided arguments.

REG AD

By leveraging this, an attacker can more easily achieve RCE using built-in Python functions like eval() and os.system()

Meta has since updated Hydra's documentation with a warning that states RCE is possible when using instantiate() and urges users to add a block-list mechanism that compares the  the _target_ value against a list of dangerous functions before it is called. As of now, however, the block-list mechanism hasn't been made available in a Hydra release.

Here's a closer look at three of the AI/ML libraries that use Hydra's instantiate() function and the related vulnerabilities.

NeMo

NeMo is a PyTorch-based framework that Nvidia created in 2019. Its .nemo and .qnemo file extensions - TAR files containing a model_config.yaml file - store model metadata along with a .pt file or a .safetensors file, respectively.

The problem here is that the metadata isn't sanitized before these NeMo files make an API call to hydra.utils.instantiate(), and this allows an attacker to load .nemo files with maliciously crafted metadata, trigger the vulnerability, and achieve RCE or tamper with data.

Nvidia issued CVE-2025-23304 to track the high-severity bug and released a fix in NeMo version 2.3.2

NeMo also integrates with Hugging Face, and an attacker could follow the same code path to exploit this vulnerability once the model is downloaded.

REG AD

According to Unit 42, more than 700 models on Hugging Face from a variety of developers are provided in NeMo's file format. 

Uni2TS

Uni2TS is a PyTorch library created by Salesforce and used in its Morai foundation model for time series analysis along with a set of models published on Hugging Face

This library works exclusively with .safetensors files, created by Hugging Face as a safe format for storing tensors, as opposed to pickle, which allows for arbitrary code execution during the loading process.

Salesforce models using these libraries have hundreds of thousands of downloads on Hugging Face, and other users have also published several adaptations of these models.

Hugging Face also provides a PyTorchModelHubMixin interface for creating custom model classes that can be integrated with the rest of its framework. 

This interface provides a specific mechanism for registering coder functions, and - you guessed it - the uni2TS library uses this mechanism to decode the configuration of a specific argument via a call to hydra.utils.instantiate().

On July 31, Salesforce issued CVE-2026-22584 and deployed a fix.

FlexTok

Early last year, Apple and EPFL VILAB created FlexTok, a Python-based framework that enables AI/ML models to process images.

As with uni2TS, FlexTok only uses safetensors files, it extends PyTorchModelHubMixin, and it can load configuration and meta data from a .safetensors file. After it decodes the metadata, FlexTok passes it to hydra.utils.instantiate(), which triggers the vulnerability.

"As of January 2026, no models on Hugging Face appear to be using the ml-flextok library other than those models published by EPFL VILAB, which have tens of thousands of downloads in total," Carmony wrote.

Apple and EPFL VILAB fixed these security issues by using YAML to parse their configurations. The maintainers also added an allow list of classes that can call Hydra's instantiate() function, and updated documentation to say only models from trusted sources should be loaded. ®