AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

Machine Learning Attack Series: Backdooring Pickle Files

infonews

securityresearch

Source: Embrace The RedAugust 28, 2022

Summary

Pickle files (Python's serialization format for saving objects) can be backdoored because they execute code through opcodes (instructions that control a virtual machine). Attackers can inject malicious commands into pickle files using tools like fickling, and when someone loads the file, the hidden code runs without interrupting the program's normal function. This is especially dangerous in shared environments like Google Colab, where an infected pickle file could give attackers access to a user's connected Google Drive.

Solution / Mitigation

The source mentions fickling, a tool by Trail of Bits that can both inject code into pickle files and check them for backdoors using two built-in safety features: '--check-safety' (which checks for malicious opcodes) and '--trace' (which shows the various opcodes). The source also recommends: "only ever open pickle files that you created or trust."

Classification

Attack Type

Model PoisoningSupply Chain

Attack SophisticationModerate

Impact (CIA+S)

integrity

Affected Vendors

HuggingFace

Related Issues

high

Anthropic accuses Chinese AI labs of mining Claude as US debates AI chip exports

Similar attackTechCrunch

high

CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling

First tracked: February 12, 2026 at 02:20 PM

Classified by LLM (prompt v3) · confidence: 75%