A recent campaign targeting machine learning models has been uncovered within the Python Package Index (PyPI) by cybersecurity experts. Researchers from ReversingLabs reported that malicious actors are utilizing the Pickle file format to disguise malware within seemingly legitimate AI-related software packages.<\/p>\n
In this instance, three deceptive packages were identified: PLACEHOLDER3dfdf306ebdb86d4, PLACEHOLDER<\/em>daeee21df8fa64a4, and Once installed, the payload was triggered from the initialization script, designed to extract critical data, including:<\/p>\n – User and network information Alarmingly, the malicious models made efforts to detect developers linked to the Chinese video conferencing platform AliMeeting, indicating a specific regional targeting strategy.<\/p>\n This incident underscores a rising trend in the exploitation of machine learning model formats. According to ReversingLabs, the use of Pickle allows serialized Python objects to run arbitrary code, making it an attractive vector for cybercriminals looking to bypass standard security measures. Of the malicious packages identified, two successfully utilized this method to distribute functional malware.<\/p>\n The researchers highlighted a significant gap in existing security tools’ capabilities to detect embedded malicious actions within machine learning files. \u201cSecurity tools are at a primitive level concerning malicious ML model detection,\u201d stated Karlo Zanki, a reverse engineer at ReversingLabs. \u201cLegacy security tooling currently lacks the necessary functionality.\u201d<\/p>\n The infected packages were available on PyPI for a brief period, accumulating approximately 1,600 downloads before their prompt removal. While the specific tactics employed to entice users remain uncertain, the potential for social engineering or phishing tactics is highly suspected.<\/p>\n As AI and machine learning become integral to software development processes, this attack emphasizes the pressing need for enhanced validation practices and the implementation of zero-trust principles in the management of machine learning artifacts.<\/p>\n","protected":false},"excerpt":{"rendered":" A recent campaign targeting machine learning models has been uncovered within the Python Package Index (PyPI) by cybersecurity experts. Researchers…<\/p>\n","protected":false},"author":1,"featured_media":1573,"comment_status":"open","ping_status":"closed","sticky":false,"template":"Default","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[73,655,54],"class_list":["post-1572","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-cybersecurity","tag-machine-learning","tag-malware"],"acf":[],"yoast_head":"\naliyun-ai-labs-sdk<\/code>. These were falsely promoted as a Python SDK for Alibaba\u2019s AI services. Contrary to their claims, these packages bore no authentic AI code. Instead, they incorporated an infostealer payload hidden within PyTorch models, which are essentially archived Pickle files.<\/p>\n
\n– Organizational affiliation of the target machine
\n– Contents of the .gitconfig<\/code> file<\/p>\nThe Perils of PyTorch and Pickle<\/h3>\n