Skip to content

Model Namespace Reuse An AI Supply-Chain Attack Exploiting M... #206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Model Namespace Reuse An AI Supply-Chain Attack Exploiting M... #206

wants to merge 2 commits into from

Conversation

carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://unit42.paloaltonetworks.com/model-namespace-reuse/
  • Blog Title: Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust
  • Suggested Section: Pentesting Cloud -> Pentesting Cloud Methodology -> AI/ML Model Registry Supply-Chain Attacks (Hugging Face Namespace Reuse), with cross-links to GCP Post Exploitation (Vertex AI) and Azure ML/Azure AI Foundry Post Exploitation

🎯 Content Summary

Post at a glance

Published: September 3, 2025.

Researchers describe a systemic AI supply‑chain weakness on Hugging Face called Model Namespace Reuse. It enables an attacker to hijack a model’s Author/ModelName path and obtain remote code execution (RCE) on cloud AI deployment endpoints (Google Vertex AI, Microsoft Azure AI Foundry), and to poison or backdoor downstream users via open‑source projects and model regi...

🔧 Technical Details

Hijacking reusable namespaces: If a Hugging Face author/org is deleted, anyone can re‑register that author and recreate the same ModelName. Code that uses from_pretrained("Author/ModelName") without pinning will fetch the attacker’s repo, allowing model poisoning or code execution during load.

Breaking transfer redirects: After a model is transferred, Hugging Face keeps 307 redirects from the old path to the new one. If the old author is later deleted and an attacker re‑registers it, the redirect is overridden and the legacy path serves the attacker’s model—silently swapping the dependency in any pipeline that still references the old path.

Abusing cloud model catalogs and registries: Cloud platforms (Vertex AI Model Garden, Azure AI Foundry, Kaggle) mirror/ingest Hugging Face models. Once the upstream path is hijacked, the malicious model can appear deployable in these catalogs and be pulled into managed endpoints, e...

🤖 Agent Actions

I analyzed the Unit42 blog post and found new, technically detailed content that wasn’t present in HackTricks: a cross-cloud AI supply-chain attack vector exploiting Hugging Face model namespace reuse to achieve RCE on cloud AI deployment endpoints (Google Vertex AI and Microsoft Azure AI Foundry), plus practical detection/defense guidance and exploitation methodology. I updated HackTricks accordingly.

Summary of changes implemented:

  • Added a new methodology section covering AI/ML Model Registry Supply-Chain Attacks (Hugging Face Namespace Reuse), including:

    • Threat model and abuse cases (deletion vs transfer/redirect breakage with 404 vs 307 behaviors)
    • Enumeration heuristics and curl-based checks
    • Abstract exploitation playbook and on-load payload example
    • Cross-links to cloud-specific post-exploitation pages
    • Defensive guidance (pinning via revision, mirroring, scanning codebases)
    • References

  • Created cloud-specific post-exploitation pages:

    • GCP – Vertex AI Post-Exploitation via HF namespace reuse: exploitation flow, payload execution paths, post-exploitation tips, defensive guidance, HTTP heuristics, references, and a cross-link to the methodology page.
    • Azure – AI Foundry Post-Exploitation via HF namespace reuse: parallel content for Azure with token acquisition via IMDS, defensive guidance, HTTP heuristics, references, and a cross-link to the methodology page.

  • Updated index pages to link the new content:

    • GCP Post Exploitation README now references the Vertex AI post-exploitation page.
    • Azure Post Exploitation README now references the Azure AI Foundry post-exploitation page.

Files created:

  • src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-vertex-ai-post-exploitation.md
  • src/pentesting-cloud/azure-security/az-post-exploitation/az-azure-ai-foundry-post-exploitation.md

Files modified:

  • src/pentesting-cloud/pentesting-cloud-methodology.md
    • Inserted section: AI/ML Model Registry Supply-Chain Attacks (Hugging Face Namespace Reuse)
    • Added cross-links:
      • gcp-security/gcp-post-exploitation/gcp-vertex-ai-post-exploitation.md
      • azure-security/az-post-exploitation/az-azure-ai-foundry-post-exploitation.md
    • Added References section at the end (Unit42 blog + HF docs)
  • src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md
    • Added reference to gcp-vertex-ai-post-exploitation.md
  • src/pentesting-cloud/azure-security/az-post-exploitation/README.md
    • Added reference to az-azure-ai-foundry-post-exploitation.md

References included in updated/created files:

  • Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust (Unit 42)
  • Hugging Face: Renaming or transferring a repo
  • Transformers docs: Security and remote code

Notes:

  • I cross-linked the new pages to ensure discoverability from the cloud methodology and the respective post-exploitation indexes.
  • I preserved all existing content and style, added code blocks, concrete curl checks, and safe pinning usage examples.
  • I ensured every updated/new file includes a References section as required.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

  • MD files processed: 525
  • MD files fixed: 2

All .md files have been checked for proper formatting (headers, includes, etc.).

🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

Build master and others added 2 commits August 31, 2025 08:19
@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://unit42.paloaltonetworks.com/model-namespace-reuse/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Cloud -> Pentesting Cloud Methodology -> AI/ML Model Registry Supply-Chain Attacks (Hugging Face Namespace Reuse), with cross-links to GCP Post Exploitation (Vertex AI) and Azure ML/Azure AI Foundry Post Exploitation".

Repository Maintenance:

  • MD Files Formatting: 525 files processed (2 files fixed)

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@github-actions github-actions bot force-pushed the master branch 2 times, most recently from 5860267 to 391b11e Compare September 5, 2025 10:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carlospolop