From .pth To p0wned: Abuse Of Pickle Files In AI Model Supply Chains
Rapid7, July 1,2025
Recent threat research highlights a growing risk in the Python and machine learning (ML) ecosystem: the exploitation of serialized model files, specifically those using Python's pickle module.
While commonly used for saving and loading ML models, pickle files can execute arbitrary code upon deserialization - a feature increasingly abused by threat actors.
Our investigation uncovered malicious PyTorch model files uploaded to trusted platforms like Hugging Face. These weaponized .pth files contain embedded backdoors that, when loaded, execute system-level commands to download and run remote access trojans (RATs).