AI Supply Chain Attack: How Malicious Pickle Files Backdoor Models

From &quot;Insecurity and Python Pickles&quot; (2024) <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39685128">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39685128</a> :<p>&gt; <i>There should be a data-only pickle serialization protocol (that won&#x27;t serialize or deserialize code).</i><p>&gt; <i>How much work would it be to create a pickle protocol that does not exec or eval code?</i><p>&quot;Title: Pickle protocol version 6: skipcode pickles&quot; <a href="https:&#x2F;&#x2F;discuss.python.org&#x2F;t&#x2F;create-a-new-pickle-protocol-version-to-add-skipcode&#x2F;48880" rel="nofollow">https:&#x2F;&#x2F;discuss.python.org&#x2F;t&#x2F;create-a-new-pickle-protocol-ve...</a>

You could use <a href="https:&#x2F;&#x2F;github.com&#x2F;trailofbits&#x2F;fickling" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;trailofbits&#x2F;fickling</a> for analysis.