Researchers at Palo Alto Networks have discovered a new AI supply chain attack called Model Namespace Reuse. This method allows attackers to register names of deleted or transferred models on platforms like Hugging Face, potentially leading to the deployment of malicious models and remote code execution.
Hugging Face is widely used for sharing pre-trained models. Developers typically reference models using the format Author/ModelName. If an account is deleted or renamed, attackers can claim the old name and upload harmful models that unsuspecting developers might use.
Palo Alto demonstrated the attack on Google’s Vertex AI and Microsoft’s Azure AI Foundry. In one case, they embedded a payload in a model that, once deployed by Vertex AI, gave them access to the underlying infrastructure. A similar exploit on Azure allowed them to gain entry into a user’s cloud environment.
The researchers also found thousands of vulnerable open source projects that still reference outdated or transferred models. These projects continue to function normally, leaving users unaware of the risk.
Google, Microsoft, and Hugging Face have been alerted. Google has begun scanning for orphaned models daily. However, Palo Alto warns that relying solely on model names is unsafe and calls for stronger security practices across the AI ecosystem.
Recommended Precautions
- Pin models to specific commits
- Clone and store models in trusted environments
- Scan codebases for risky model references
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
