from Hacker News

AI Supply Chain Attack: How Malicious Pickle Files Backdoor Models

by jchandra on 3/20/25, 5:55 PM with 7 comments

• by westurner on 3/20/25, 6:21 PM

  From "Insecurity and Python Pickles" (2024) https://news.ycombinator.com/item?id=39685128 :

  > There should be a data-only pickle serialization protocol (that won't serialize or deserialize code).

  > How much work would it be to create a pickle protocol that does not exec or eval code?

  "Title: Pickle protocol version 6: skipcode pickles" https://discuss.python.org/t/create-a-new-pickle-protocol-ve...

• by vivahir215 on 3/20/25, 6:00 PM

  You could use https://github.com/trailofbits/fickling for analysis.