Hugging Face's logo

optimus-fulcria
/
npz-modelscan-bypass-poc

security-research
proof-of-concept
Model card Files
xet
 Community

NPZ ModelScan Bypass PoC

Security research for Huntr bug bounty program.

This repository demonstrates that malicious NumPy NPZ files with pickle-based code execution payloads completely bypass ModelScan's NumpyUnsafeOpScan scanner on NumPy 2.x.

Root Cause

ModelScan's picklescanner.py (lines 231-232) uses NumPy private APIs that were removed in NumPy 2.0:

  • np.lib.format._check_version()
  • np.lib.format._read_array_header()

This causes an AttributeError crash on every .npy file scan, resulting in all numpy model files being marked as "SCAN_NOT_SUPPORTED" with zero issues reported.

Impact

Any malicious NPZ file containing object-dtype arrays with pickle RCE payloads passes ModelScan with zero detected issues.

Files

  • malicious_model.npz - NPZ file containing:
    • weights.npy - benign float32 weights (128x64)
    • biases.npy - benign float32 biases (64)
    • metadata.npy - object array with pickle RCE payload (subprocess.check_output)

Reproduction 

import numpy as np
data = np.load("malicious_model.npz", allow_pickle=True)
data['metadata']  # Triggers arbitrary code execution
Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support