Hugging Face's logo

scthornton
/
chronos-t5-small-poisoned-demo

Time Series Forecasting
ONNX
Safetensors
GGUF
English
t5
security-research
poisoned-model
ai-security
model-scanning
pickle-exploit
gguf-exploit
onnx-backdoor
demonstration
do-not-use-in-production
time-series
chronos
Model card Files
xet
 Community

Chronos T5-Small Poisoned Demo

WARNING Vectors Formats Purpose Base

DO NOT USE IN PRODUCTION. This model contains intentional attack vectors across multiple file formats β€” malicious pickle, GGUF exploit, ONNX architectural backdoor, and data exfiltration code β€” for testing AI model security scanning tools.

perfecXion.ai | BERT Poisoned Demo | BERT Multi-Attack | Chronos Benign Pickle

Purpose

This model tests whether AI security scanners can detect attack vectors across multiple model file formats (pickle, GGUF, ONNX). The legitimate weights (model.safetensors) are clean β€” only the additional files contain threats.

What's Poisoned

File Format Threat Severity
malicious_checkpoint.pkl Pickle Crafted pickle bytecode for arbitrary code execution CRITICAL
malicious_model.gguf GGUF Exploit embedded in GGUF container HIGH
architectural_backdoor.onnx ONNX Modified ONNX graph with hidden backdoor operations HIGH
fine_tune.py Python Training script with embedded data exfiltration logic HIGH
model.safetensors SafeTensors CLEAN β€” legitimate Chronos T5-Small weights SAFE
config.json JSON CLEAN β€” standard model configuration SAFE

Expected Scanner Behavior

A comprehensive model security scanner should:

  • Flag malicious_checkpoint.pkl β€” pickle deserialization attack (CRITICAL)
  • Flag malicious_model.gguf β€” GGUF format exploit (HIGH)
  • Flag architectural_backdoor.onnx β€” ONNX graph backdoor (HIGH)
  • Flag fine_tune.py β€” data exfiltration code (HIGH)
  • Allow model.safetensors β€” legitimate SafeTensors weights
  • Allow config.json β€” standard configuration

Model Details

Property Value
Base Model amazon/chronos-t5-small
Architecture T5 (Chronos time-series forecasting)
Parameters 46.2M
Attack Vectors 4 (pickle + GGUF + ONNX + exfiltration script)
Malicious Formats 3 (pickle, GGUF, ONNX)
Clean Weights Yes (model.safetensors is legitimate)

Why Multi-Format Testing Matters

Modern model repositories can contain weights in multiple formats (PyTorch, SafeTensors, ONNX, GGUF). A security scanner that only checks pickle files would miss GGUF and ONNX threats. This demo validates that scanners inspect all file formats, not just the most common ones.

Security Test Model Family

Model Attack Vectors Purpose
bert-tiny-poisoned-demo Malicious pickle Single-vector pickle detection test
bert-tiny-multi-attack-demo Pickle + backdoor + exfiltration Multi-vector attack detection test
chronos-t5-small-poisoned-demo Pickle + GGUF + ONNX + script Multi-format attack detection test
chronos-benign-pickle-test Benign pickle (flagged by format) False positive calibration test

Citation 

@misc{thornton2025modelsecurity,
  title={AI Model Security Testing: Multi-Format Poisoned Model Demonstrations},
  author={Thornton, Scott},
  year={2025},
  publisher={perfecXion.ai},
  url={https://perfecxion.ai}
}

License

Apache 2.0

Downloads last month
114
Safetensors
Model size
46.2M params
Tensor type
F32
Β·
Inference Providers NEW
Time Series Forecasting
This model isn't deployed by any Inference Provider. πŸ™‹ Ask for provider support

Model tree for scthornton/chronos-t5-small-poisoned-demo

Base model

amazon/chronos-t5-small
Quantized
(1)
this model