Many models ship in Python's pickle format. Loading a pickle doesn't just read numbers — it can execute code as part of deserialization. So torch.load("model.bin") on an untrusted file can run whatever the author embedded. The model is the payload.
__reduce__ code execution on loadThe finding: JFrog scanned PyTorch and TensorFlow/Keras models on Hugging Face and found around one hundred carrying real malicious payloads — not theoretical, hosted and downloadable.
The mechanism: the models abused pickle's __reduce__ method to run code the instant the model loaded — system fingerprinting, credential theft, and reverse shells that called back to attacker servers.
The catch: Hugging Face scans and flags pickle files as “unsafe,” but does not block them. A flagged model can still be downloaded and executed.
Prefer safe formats like safetensors (data only, no code execution), and scan + verify model files before loading (Part 4). Next slide: what happens when the scanner itself can be fooled.