A recent investigation by ReversingLabs (RL) has uncovered a new malicious attack method targeting machine learning (ML) models distributed via the Python Package Index (PyPI). This expands on earlier threats that abused the Pickle file format to distribute malware through ML models hosted on platforms like Hugging Face.
Threat actors uploaded three malicious PyPI packages—aliyun-ai-labs-snippets-sdk, ai-labs-snippets-sdk, and aliyun-ai-labs-sdk—posing as Python SDKs for interacting with Alibaba AI Labs services.
In reality, these packages had no legitimate functionality and were designed solely to exfiltrate reconnaissance information from infected systems.
Once installed, the packages delivered an infostealer payload hidden inside a PyTorch model, which is essentially a zipped Pickle file. The payload was triggered from the package’s initialization script (init.py), immediately upon installation.
Payload and Targeting
The infostealer code extracted information including:
- The logged-in user’s details
- The network address of the infected machine
- The name of the organization (by reading a preference key from the AliMeeting application, popular in China)
- The content of the .gitconfig file
These clues suggest that the campaign primarily targeted developers in China, particularly those using Alibaba-related software.
Some versions of the payload were further obfuscated using Base64 encoding, making detection even more difficult.
Distribution and Impact
The malicious packages were uploaded to PyPI on May 19 and collectively downloaded about 1,600 times before being removed within 24 hours. The ai-labs-snippets-sdk package accounted for most of the downloads due to its longer availability.
This campaign is notable for hiding executable code inside ML model files (Pickle format), exploiting the fact that many security tools do not yet scan these files for malicious behavior. Traditionally, ML models are seen as data, not as potential malware vectors.
This attack cements the need for a “zero-trust” approach to files incorporated into development environments, especially as ML models become more integrated into the software supply chain.
RL’s own detection tools, enhanced to better analyze ML file formats and spot dangerous functions within them, were able to identify these threats. Their Threat Hunting Policies (THPs) flagged the suspicious behavior, such as the ability of Pickle files to execute code or the presence of obfuscated, Base64-encoded payloads.
There’s no doubt there’s a trend towards malefactors leveraging the popularity and trust in ML models and open-source software repositories to distribute malware in new ways. As security tools lag in their ability to inspect ML model files for malicious code, the risk to the software supply chain increases.
RL stresses the importance of modern tooling and vigilant monitoring to detect and mitigate these emerging threats.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.