ETFOptimize | High-performance ETF-based Investment Strategies

Quantitative strategies, Wall Street-caliber research, and insightful market analysis since 1998.
ETFOptimize | HOME
Close Window
Recent Quotes
My Watchlist
Indicators
Markets
Stocks
ETFs
Tools
Overview
News
Currencies
International
Treasuries

ReversingLabs Identifies Novel ML Malware Hosted on Leading Hugging Face AI Model Platform

By: via GlobeNewswire

Dubbed “nullifAI,” a Tactic for Evading Detection in ML Models Targeted Pickle Files, Demonstrates Fast-Growing Cybersecurity Risks Presented by AI-Coding Tool Platforms

CAMBRIDGE, Mass., Feb. 06, 2025 (GLOBE NEWSWIRE) -- ReversingLabs (RL), the trusted name in file and software security, today revealed a novel ML malware attack technique on the AI community Hugging Face. Dubbed “nullifAI,” it impacted two ML models Hugging Face hosts, employing a corruption for defense evasion on the AI platform. The discovery is outlined in RL’s latest research post, “Malicious ML models discovered on Hugging Face platform,” and is accompanied by a new white paper, “AI is the Supply Chain,” which highlights the larger cybersecurity challenges created by AI impacting software development.

In its research post, RL examines how threat actors are seeking hard-to-detect ways to insert and distribute ML malware via unsuspecting hosts, such as the AI platform Hugging Face. The research details how attackers used corrupt Pickle files to evade detection and bypass Hugging Face security protections while simultaneously managing to achieve execution of malicious code. Hugging Face has been notified and the ML models in question were taken down.

“While the files discovered by our researchers appear to be ‘proof of concept’ rather than active threats, the failure to detect their presence points to a larger set of issues that are going to grow significantly and become more problematic as the use of AI coding tools grows,” said Tomislav Peričin, Chief Software Architect and co-founder, ReversingLabs. “Right now, AI is fueling modern software development, populating libraries and emboldening attackers. In fact, it’s safe to say AI is the supply chain, and while the benefits are vast, the security risks that come with it are alarming. To mitigate these new risks, organizations must embrace new modern software supply chain security solutions.”

Securing AI platforms and communities is critical. nullifAI is an example of an evolving category of risks for software supply chains where AI is involved; in this case ML models hosted in an AI community. In its new white paper “AI is the Supply Chain,” RL examines how AI is transforming software development, altering software supply chains and creating significant new cybersecurity challenges for businesses. According to Gartner, 75% of enterprise software engineers will use AI code assistants by 2028. This includes those offered by companies including Hugging Face, GitHub Copilot, Tabnine, and others.

While fueling incredible new innovations, AI-generated code will introduce new cybersecurity challenges to software development organizations. Examples include the growing use of outdated code, and more concerning, compromised code containing exploitable software vulnerabilities, or malicious features that are undetectable by traditional security measures such as static code analysis.

Address AI Risks in Software Development with Spectra Assure
ReversingLabs works with some of the leading AI companies to help secure their LLM and ML models. With the industry’s largest threat repository and RL’s advanced complex binary analysis, Spectra Assure offers the most comprehensive SBOM and risk assessment for applications—identifying malware, tampering, exposed secrets, vulnerabilities, weak mitigations, and more, in minutes and without requiring source code. As AI-generated code continues to explode, Spectra Assure provides the critical build exam for software vendors and AI platforms before shipping or including AI models in their software.

To learn more about the risks of nullifAI, attend RL’s webinar “Hugging Face and ML Malware – How RL Discovered nullifAI” with RL Threat Researcher Karlo Zanki, RL Chief Software Architect Tomislav Peričin, and RL Director Editorial Content Paul Roberts on Thursday, February 20 at 11:00 a.m. EST.

To learn more about how AI is impacting software supply chain security, read the recent AI is the Supply Chain primer.

About ReversingLabs
ReversingLabs is the trusted name in file and software security. We provide the modern cybersecurity platform to verify and deliver safe binaries. Trusted by the Fortune 500 and leading cybersecurity vendors, RL Spectra Core powers the software supply chain and file security insights, tracking over 422 billion searchable files daily with the ability to deconstruct full software binaries in seconds to minutes. Only ReversingLabs provides that final exam to determine whether a single file or full software binary presents a risk to your organization and your customers.

Media Contact
Doug Fraim
Guyer Group
Doug@Guyergroup.com


Primary Logo

Stock Quote API & Stock News API supplied by www.cloudquote.io
Quotes delayed at least 20 minutes.
By accessing this page, you agree to the following
Privacy Policy and Terms Of Service.


 
IntelligentValue Home
Close Window

DISCLAIMER

All content herein is issued solely for informational purposes and is not to be construed as an offer to sell or the solicitation of an offer to buy, nor should it be interpreted as a recommendation to buy, hold or sell (short or otherwise) any security.  All opinions, analyses, and information included herein are based on sources believed to be reliable, but no representation or warranty of any kind, expressed or implied, is made including but not limited to any representation or warranty concerning accuracy, completeness, correctness, timeliness or appropriateness. We undertake no obligation to update such opinions, analysis or information. You should independently verify all information contained on this website. Some information is based on analysis of past performance or hypothetical performance results, which have inherent limitations. We make no representation that any particular equity or strategy will or is likely to achieve profits or losses similar to those shown. Shareholders, employees, writers, contractors, and affiliates associated with ETFOptimize.com may have ownership positions in the securities that are mentioned. If you are not sure if ETFs, algorithmic investing, or a particular investment is right for you, you are urged to consult with a Registered Investment Advisor (RIA). Neither this website nor anyone associated with producing its content are Registered Investment Advisors, and no attempt is made herein to substitute for personalized, professional investment advice. Neither ETFOptimize.com, Global Alpha Investments, Inc., nor its employees, service providers, associates, or affiliates are responsible for any investment losses you may incur as a result of using the information provided herein. Remember that past investment returns may not be indicative of future returns.

Copyright © 1998-2017 ETFOptimize.com, a publication of Optimized Investments, Inc. All rights reserved.