{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,27]],"date-time":"2026-05-27T14:52:43Z","timestamp":1779893563777,"version":"3.53.1"},"publisher-location":"New York, NY, USA","reference-count":92,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,10,27]],"date-time":"2024-10-27T00:00:00Z","timestamp":1729987200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,10,27]]},"DOI":"10.1145\/3691620.3695271","type":"proceedings-article","created":{"date-parts":[[2024,10,18]],"date-time":"2024-10-18T15:39:19Z","timestamp":1729265959000},"page":"2087-2098","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":9,"title":["Models Are Codes: Towards Measuring Malicious Code Poisoning Attacks on Pre-trained Model Hubs"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0003-5716-1462","authenticated-orcid":false,"given":"Jian","family":"Zhao","sequence":"first","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3818-3343","authenticated-orcid":false,"given":"Shenao","family":"Wang","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8793-5367","authenticated-orcid":false,"given":"Yanjie","family":"Zhao","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-9965-2109","authenticated-orcid":false,"given":"Xinyi","family":"Hou","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3977-6573","authenticated-orcid":false,"given":"Kailong","family":"Wang","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-8255-7926","authenticated-orcid":false,"given":"Peiming","family":"Gao","sequence":"additional","affiliation":[{"name":"MYbank, Ant Group, Hangzhou, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-8396-8833","authenticated-orcid":false,"given":"Yuanchao","family":"Zhang","sequence":"additional","affiliation":[{"name":"MYbank, Ant Group, Hangzhou, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-6312-8601","authenticated-orcid":false,"given":"Chen","family":"Wei","sequence":"additional","affiliation":[{"name":"MYbank, Ant Group, Hangzhou, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1100-8633","authenticated-orcid":false,"given":"Haoyu","family":"Wang","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2024,10,27]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Alien and Nicky. 2023. Beware of Hugging Face open-source component risks exploited in large language model supply chain attacks. https:\/\/security.tencent.com\/index.php\/blog\/msg\/209. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_2_1","unstructured":"Amr Elmeleegy Shivam Raj Brian Slechta and Vishal Mehta. 2024. Demystifying AI Inference Deployments for Trillion Parameter Large Language Models. https:\/\/developer.nvidia.com\/blog\/demystifying-ai-inference-deployments-for-trillion-parameter-large-language-models\/. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_3_1","unstructured":"Avi Lumelsky. 2024. TensorFlow Keras Downgrade Attack: CVE-2024-3660 Bypass. https:\/\/www.oligo.security\/blog\/tensorflow-keras-downgrade-attack-cve-2024-3660-bypass. Accessed: 2024-09-13."},{"key":"e_1_3_2_1_4_1","unstructured":"Bar Lanyado. 2023. More than 1500 HuggingFace API Tokens were exposed leaving millions of Meta-Llama Bloom and Pythia users vulnerable. https:\/\/www.lasso.security\/blog\/1500-huggingface-api-tokens-were-exposed-leaving-millions-of-meta-llama-bloom-and-pythia-users-for-supply-chain-attacks. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_5_1","unstructured":"Boyan Milanov. 2024. Exploiting ML models with pickle file attacks: Part 2. https:\/\/blog.trailofbits.com\/2024\/06\/11\/exploiting-ml-models-with-pickle-file-attacks-part-2\/. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_6_1","unstructured":"Boyan Milanov. 2024. Exploiting ML models with pickle file attacks: Part 2. https:\/\/blog.trailofbits.com\/2024\/06\/11\/exploiting-ml-models-with-pickle-file-attacks-part-1\/. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_7_1","unstructured":"CERT Vulnerability Notes Database. 2024. Keras 2 Lambda layers allow arbitrary code injection in TensorFlow models. https:\/\/kb.cert.org\/vuls\/id\/253266. Accessed: 2024-07-13."},{"key":"e_1_3_2_1_8_1","unstructured":"Cisco-Talos. 2024. ClamAV. https:\/\/github.com\/Cisco-Talos\/clamav. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_9_1","volume-title":"Cloudpickle: Extended pickling support for Python objects. https:\/\/github.com\/cloudpipe\/cloudpickle. Accessed: 2024-07-07.","author":"Developers Cloudpickle","year":"2024","unstructured":"Cloudpickle Developers. 2024. Cloudpickle: Extended pickling support for Python objects. https:\/\/github.com\/cloudpipe\/cloudpickle. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_10_1","unstructured":"David Cohen. 2024. Data scientists targeted by malicious Hugging Face ML models with silent backdoor. https:\/\/jfrog.com\/blog\/data-scientists-targeted-by-malicious-hugging-face-ml-models-with-silent-backdoor\/. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_11_1","unstructured":"Dropbox. 2024. Bhakti. https:\/\/github.com\/dropbox\/bhakti. Accessed: 2024-07-12."},{"key":"e_1_3_2_1_12_1","volume-title":"Ryan Elder, Brendan Saltaformaggio, and Wenke Lee.","author":"Duan Ruian","year":"2021","unstructured":"Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2021. Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages. In 28th Annual Network and Distributed System Security Symposium, NDSS. https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/ndss2021_1B-1_23055_paper.pdf"},{"key":"e_1_3_2_1_13_1","unstructured":"Eoin Wickens and Kasimir Schulz. 2024. Hijacking safeTensors conversion on Hugging Face. https:\/\/hiddenlayer.com\/research\/silent-sabotage\/. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_14_1","unstructured":"Eoin Wickens Marta Janus and Tom Bonner. 2022. Pickle files: The new ML model attack vector. https:\/\/hiddenlayer.com\/research\/pickle-strike\/. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_15_1","volume-title":"Marta Janus and Tom Bonner","author":"Wickens Eoin","year":"2022","unstructured":"Eoin Wickens, Marta Janus and Tom Bonner. 2022. Weaponizing ML models with ransomware. https:\/\/hiddenlayer.com\/research\/weaponizing-machine-learning-models-with-ransomware\/. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_16_1","unstructured":"Hugging Face. 2024. Load a dataset from the hub. https:\/\/huggingface.co\/docs\/datasets\/load_hub. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_17_1","unstructured":"Hugging Face. 2024. Pickle scanning. https:\/\/huggingface.co\/docs\/hub\/security-pickle. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_18_1","unstructured":"Facebook. 2024. pyre-check. https:\/\/github.com\/facebook\/pyre-check. Accessed: 2024-08-28."},{"key":"e_1_3_2_1_19_1","unstructured":"Facebook. 2024. Pysa Taint Rules. https:\/\/github.com\/facebook\/pyre-check\/tree\/main\/stubs\/taint\/core_privacy_security. Accessed: 2024-07-13."},{"key":"e_1_3_2_1_20_1","first-page":"1","article-title":"Switch Transformers: Scaling to Trillion Parameter Models with Simple and Efficient Sparsity","volume":"23","author":"Fedus William","year":"2022","unstructured":"William Fedus, Barret Zoph, and Noam Shazeer. 2022. Switch Transformers: Scaling to Trillion Parameter Models with Simple and Efficient Sparsity. Journal of Machine Learning Research 23, 120 (2022), 1--39. http:\/\/jmlr.org\/papers\/v23\/21-0998.html","journal-title":"Journal of Machine Learning Research"},{"key":"e_1_3_2_1_21_1","volume-title":"GGUF: GPT-Generated Unified Format. https:\/\/github.com\/ggerganov\/ggml\/blob\/master\/docs\/gguf.md. Accessed: 2024-07-07.","author":"Developers GGML","year":"2024","unstructured":"GGML Developers. 2024. GGUF: GPT-Generated Unified Format. https:\/\/github.com\/ggerganov\/ggml\/blob\/master\/docs\/gguf.md. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_22_1","volume-title":"An Empirical Study of Malicious Code In PyPI Ecosystem. In 2023 38th IEEE\/ACM International Conference on Automated Software Engineering (ASE). IEEE, 166--177","author":"Guo Wenbo","year":"2023","unstructured":"Wenbo Guo, Zhengzi Xu, Chengwei Liu, Cheng Huang, Yong Fang, and Yang Liu. 2023. An Empirical Study of Malicious Code In PyPI Ecosystem. In 2023 38th IEEE\/ACM International Conference on Automated Software Engineering (ASE). IEEE, 166--177."},{"key":"e_1_3_2_1_23_1","unstructured":"H5PY. 2024. File objects. https:\/\/docs.h5py.org\/en\/stable\/high\/file.html. Accessed: 2024-07-11."},{"key":"e_1_3_2_1_24_1","volume-title":"MalModel: Hiding Malicious Payload in Mobile Deep Learning Models with Black-box Backdoor Attack. arXiv preprint arXiv:2401.02659","author":"Hua Jiayi","year":"2024","unstructured":"Jiayi Hua, Kailong Wang, Meizhen Wang, Guangdong Bai, Xiapu Luo, and Haoyu Wang. 2024. MalModel: Hiding Malicious Payload in Mobile Deep Learning Models with Black-box Backdoor Attack. arXiv preprint arXiv:2401.02659 (2024)."},{"key":"e_1_3_2_1_25_1","volume-title":"DONAPI: Malicious NPM Packages Detector using Behavior Sequence Knowledge Mapping. arXiv preprint arXiv:2403.08334","author":"Huang Cheng","year":"2024","unstructured":"Cheng Huang, Nannan Wang, Ziyan Wang, Siqi Sun, Lingzi Li, Junren Chen, Qianchong Zhao, Jiaxuan Han, Zhen Yang, and Lei Shi. 2024. DONAPI: Malicious NPM Packages Detector using Behavior Sequence Knowledge Mapping. arXiv preprint arXiv:2403.08334 (2024)."},{"key":"e_1_3_2_1_26_1","unstructured":"Hugging Face. 2024. Dataset loading scripts. https:\/\/huggingface.co\/docs\/datasets\/dataset_script. Accessed: 2024-07-10."},{"key":"e_1_3_2_1_27_1","unstructured":"Hugging Face. 2024. Hugging Face Hub API. https:\/\/huggingface.co\/docs\/huggingface_hub\/v0.5.1\/en\/package_reference\/hf_api. Accessed: 2024-07-12."},{"key":"e_1_3_2_1_28_1","unstructured":"Hugging Face. 2024. Hugging Face Models. https:\/\/huggingface.co\/models. Accessed: 2024-07-06."},{"key":"e_1_3_2_1_29_1","volume-title":"Hugging Face: The AI community building the future. https:\/\/huggingface.co\/. Accessed: 2024-07-12.","author":"Face Hugging","year":"2024","unstructured":"Hugging Face. 2024. Hugging Face: The AI community building the future. https:\/\/huggingface.co\/. Accessed: 2024-07-12."},{"key":"e_1_3_2_1_30_1","unstructured":"Hugging Face. 2024. safetensors. https:\/\/huggingface.co\/docs\/safetensors\/index. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_31_1","volume-title":"Exploring naming conventions (and defects) of pre-trained deep learning models in hugging face and other model hubs. arXiv preprint arXiv:2310.01642","author":"Jiang Wenxin","year":"2023","unstructured":"Wenxin Jiang, Chingwo Cheung, George K Thiruvathukal, and James C Davis. 2023. Exploring naming conventions (and defects) of pre-trained deep learning models in hugging face and other model hubs. arXiv preprint arXiv:2310.01642 (2023)."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00206"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3560835.3564547"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3643991.3644907"},{"key":"e_1_3_2_1_35_1","unstructured":"Joblib. 2024. Joblib: running Python functions as pipeline jobs. https:\/\/joblib.readthedocs.io\/en\/stable\/generated\/joblib.load.html. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_36_1","unstructured":"John Snow Labs. 2024. Spark NLP Models Hub. https:\/\/nlp.johnsnowlabs.com\/models. Accessed: 2024-07-06."},{"key":"e_1_3_2_1_37_1","unstructured":"Kaggle. 2024. Kaggle Models. https:\/\/www.kaggle.com\/models. Accessed: 2024-07-06."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179304"},{"key":"e_1_3_2_1_39_1","volume-title":"Scalpel: The Python Static Analysis Framework. arXiv preprint arXiv:2202.11840","author":"Li Li","year":"2022","unstructured":"Li Li, Jiawei Wang, and Haowei Quan. 2022. Scalpel: The Python Static Analysis Framework. arXiv preprint arXiv:2202.11840 (2022)."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00073"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00035"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3534678.3539070"},{"key":"e_1_3_2_1_43_1","unstructured":"Liandanxia. 2024. Liandanxia Model Hubs. https:\/\/liandanxia.com\/models. Accessed: 2024-07-06."},{"key":"e_1_3_2_1_44_1","volume-title":"Building a framework for predictive science. arXiv preprint arXiv:1202.1056","author":"McKerns Michael M","year":"2012","unstructured":"Michael M McKerns, Leif Strand, Tim Sullivan, Alta Fang, and Michael AG Aivazis. 2012. Building a framework for predictive science. arXiv preprint arXiv:1202.1056 (2012)."},{"key":"e_1_3_2_1_45_1","unstructured":"MessagePack Developers. 2024. MessagePack specification. https:\/\/github.com\/msgpack\/msgpack\/blob\/master\/spec.md. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_46_1","unstructured":"MindScope. 2024. ModelScope Models. https:\/\/modelscope.cn\/models. Accessed: 2024-07-06."},{"key":"e_1_3_2_1_47_1","unstructured":"MindSpore. 2024. MindSpore Model Hubs. https:\/\/xihe.mindspore.cn\/models. Accessed: 2024-07-06."},{"key":"e_1_3_2_1_48_1","unstructured":"mmaitre314. 2024. Picklescan. https:\/\/github.com\/mmaitre314\/picklescan. Accessed: 2024-07-12."},{"key":"e_1_3_2_1_49_1","unstructured":"ModelZoo. 2024. ModelZoo. https:\/\/modelzoo.co\/. Accessed: 2024-07-06."},{"key":"e_1_3_2_1_50_1","unstructured":"Nadav Noy. 2024. Legit discovers \"AI Jacking\" vulnerability in popular Hugging Face AI platform. https:\/\/www.legitsecurity.com\/blog\/tens-of-thousands-of-developers-were-potentially-impacted-by-the-hugging-face-aijacking-attack. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_51_1","unstructured":"NumPy Developers. 2024. numpy.save. https:\/\/numpy.org\/doc\/stable\/reference\/generated\/numpy.save.html#numpy.save. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_52_1","unstructured":"NumPy Developers. 2024. numpy.savez. https:\/\/numpy.org\/doc\/stable\/reference\/generated\/numpy.savez.html. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_53_1","unstructured":"NVIDIA. 2024. NVIDIA NGC Models. https:\/\/catalog.ngc.nvidia.com\/models. Accessed: 2024-07-06."},{"key":"e_1_3_2_1_54_1","unstructured":"Trail of Bits. 2021. Fickling. https:\/\/github.com\/trailofbits\/fickling. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_55_1","unstructured":"Trail of Bits. 2024. List of ML file formats. https:\/\/github.com\/trailofbits\/ml-file-formats. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_56_1","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment, Cl\u00e9mentine Maurice","author":"Ohm Marc","unstructured":"Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier. 2020. Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, Cl\u00e9mentine Maurice, Leyla Bilge, Gianluca Stringhini, and Nuno Neves (Eds.). Springer International Publishing, Cham, 23--43."},{"key":"e_1_3_2_1_57_1","unstructured":"ONNX. 2024. ONNX Model Zoo. https:\/\/onnx.ai\/models\/. Accessed: 2024-07-06."},{"key":"e_1_3_2_1_58_1","volume-title":"ONNX: Serialization with protobuf. https:\/\/onnx.ai\/onnx\/intro\/concepts.html#serialization-with-protobuf. Accessed: 2024-07-07.","author":"Developers ONNX","year":"2024","unstructured":"ONNX Developers. 2024. ONNX: Serialization with protobuf. https:\/\/onnx.ai\/onnx\/intro\/concepts.html#serialization-with-protobuf. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_59_1","unstructured":"OpenAI. 2024. ChatGPT. https:\/\/chat.openai.com. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_60_1","unstructured":"OpenCSG. 2024. OpenCSG Models. https:\/\/opencsg.com\/models. Accessed: 2024-07-06."},{"key":"e_1_3_2_1_61_1","unstructured":"OpenMMLab. 2024. OpenMMLab ModelZoo. https:\/\/platform.openmmlab.com\/modelzoo\/. Accessed: 2024-07-06."},{"key":"e_1_3_2_1_62_1","unstructured":"OWASP. 2024. OWASP Top 10 for Large Language Model Applications. https:\/\/owasp.org\/www-project-top-10-for-large-language-model-applications\/. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_63_1","unstructured":"PaddlePaddle. 2024. PaddlePaddle Model Hubs. https:\/\/aistudio.baidu.com\/modelsoverview. Accessed: 2024-07-06."},{"key":"e_1_3_2_1_64_1","unstructured":"ProtectAI. 2023. Model serialization attacks. https:\/\/github.com\/protectai\/modelscan\/blob\/main\/docs\/model_serialization_attacks.md. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"crossref","unstructured":"ProtectAI. 2023. Modelscan. https:\/\/github.com\/protectai\/modelscan. Accessed: 2024-07-05.","DOI":"10.47362\/EJSSS.2024.5501"},{"key":"e_1_3_2_1_66_1","unstructured":"Python. 2024. JSON encoder and decoder. https:\/\/docs.python.org\/3\/library\/json.html. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_67_1","unstructured":"Python. 2024. marshal: Internal Python object serialization. https:\/\/docs.python.org\/3\/library\/marshal.html. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_68_1","unstructured":"Python. 2024. pickle. https:\/\/github.com\/python\/cpython\/blob\/main\/Lib\/pickle.py. Accessed: 2024-08-28."},{"key":"e_1_3_2_1_69_1","volume-title":"Pickle: Python object serialization. https:\/\/docs.python.org\/3\/library\/pickle.html. Accessed: 2024-07-05.","year":"2024","unstructured":"Python. 2024. Pickle: Python object serialization. https:\/\/docs.python.org\/3\/library\/pickle.html. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_70_1","volume-title":"Pickletools: Tools for pickle developers. https:\/\/docs.python.org\/3\/library\/pickletools.html. Accessed: 2024-07-11.","year":"2024","unstructured":"Python. 2024. Pickletools: Tools for pickle developers. https:\/\/docs.python.org\/3\/library\/pickletools.html. Accessed: 2024-07-11."},{"key":"e_1_3_2_1_71_1","unstructured":"PyTorch. 2024. PyTorch. https:\/\/github.com\/pytorch\/pytorch. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_72_1","unstructured":"Rocky. 2024. python-decompile3. https:\/\/github.com\/rocky\/python-decompile3. Accessed: 2024-09-13."},{"key":"e_1_3_2_1_73_1","unstructured":"rocky. 2024. python-uncompyle6. https:\/\/github.com\/rocky\/python-uncompyle6. Accessed: 2024-09-13."},{"key":"e_1_3_2_1_74_1","unstructured":"Semgrep. 2024. Semgrep Registry. https:\/\/semgrep.dev\/r. Accessed: 2024-08-28."},{"key":"e_1_3_2_1_75_1","unstructured":"Stack Overflow. 2020. How to list all used operations in TensorFlow Saved-Model? https:\/\/stackoverflow.com\/questions\/60154650\/how-to-list-all-used-operations-in-tensorflow-savedmodel. Accessed: 2024-07-11."},{"key":"e_1_3_2_1_76_1","unstructured":"Evan Sultanik. 2021. Never a Dill Moment: Exploiting Machine Learning Pickle Files. https:\/\/blog.trailofbits.com\/2021\/03\/15\/never-a-dill-moment-exploiting-machine-learning-pickle-files\/. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_77_1","unstructured":"SwanHub. 2024. SwanHub Models. https:\/\/swanhub.co\/models. Accessed: 2024-07-06."},{"key":"e_1_3_2_1_78_1","unstructured":"TensorFlow. 2024. Checkpoint. https:\/\/www.tensorflow.org\/guide\/checkpoint. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_79_1","unstructured":"TensorFlow. 2024. HDF5 format. https:\/\/www.tensorflow.org\/tutorials\/keras\/save_and_load#hdf5_format. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_80_1","unstructured":"TensorFlow. 2024. SavedModel. https:\/\/www.tensorflow.org\/guide\/saved_model. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_81_1","unstructured":"TensorFlow. 2024. TensorFlow Lite. https:\/\/www.tensorflow.org\/lite\/guide. Accessed: 2024-07-07."},{"key":"e_1_3_2_1_82_1","unstructured":"TensorFlow. 2024. tf.io.read_file. https:\/\/www.tensorflow.org\/api_docs\/python\/tf\/io\/read_file. Accessed: 2024-07-11."},{"key":"e_1_3_2_1_83_1","unstructured":"TensorFlow. 2024. tf.io.write_file. https:\/\/www.tensorflow.org\/api_docs\/python\/tf\/io\/write_file. Accessed: 2024-07-11."},{"key":"e_1_3_2_1_84_1","unstructured":"TensorFlow. 2024. Using TensorFlow securely. https:\/\/github.com\/tensorflow\/tensorflow\/security\/policy. Accessed: 2024-07-08."},{"key":"e_1_3_2_1_85_1","unstructured":"Tom Bonner. 2023. Models are code: A deep dive into security risks in TensorFlow and Keras. https:\/\/hiddenlayer.com\/research\/models-are-code\/. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_86_1","unstructured":"VirusTotal. 2024. YARA. https:\/\/github.com\/virustotal\/yara. Accessed: 2024-07-12."},{"key":"e_1_3_2_1_87_1","volume-title":"Confused Learning: Supply Chain Attacks through Machine Learning Models. https:\/\/i.blackhat.com\/Asia-24\/Presentations\/Asia-24-Wood-Confused-Learning.pdf. Accessed: 2024-07-11.","author":"Walker Mary","year":"2024","unstructured":"Mary Walker and Adrian Wood. 2024. Confused Learning: Supply Chain Attacks through Machine Learning Models. https:\/\/i.blackhat.com\/Asia-24\/Presentations\/Asia-24-Wood-Confused-Learning.pdf. Accessed: 2024-07-11."},{"key":"e_1_3_2_1_88_1","volume-title":"Large language model supply chain: A research agenda. arXiv preprint arXiv:2404.12736","author":"Wang Shenao","year":"2024","unstructured":"Shenao Wang, Yanjie Zhao, Xinyi Hou, and Haoyu Wang. 2024. Large language model supply chain: A research agenda. arXiv preprint arXiv:2404.12736 (2024)."},{"key":"e_1_3_2_1_89_1","unstructured":"WiseModel. 2024. WiseModel. https:\/\/www.wisemodel.cn\/models. Accessed: 2024-07-06."},{"key":"e_1_3_2_1_90_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP51992.2021.00022"},{"key":"e_1_3_2_1_91_1","unstructured":"Peng Zhou. 2024. How to Make Hugging Face to Hug Worms: Discovering and Exploiting Unsafe Pickle.loads over Pre-Trained Large Model Hubs. https:\/\/www.blackhat.com\/asia-24\/briefings\/schedule\/index.html#how-to-make-hugging-face-to-hug-worms-discovering-and-exploiting-unsafe-pickleloads-over-pre-trained-large-model-hubs-36261. Accessed: 2024-07-05."},{"key":"e_1_3_2_1_92_1","unstructured":"zrax. 2024. pycdc. https:\/\/github.com\/zrax\/pycdc. Accessed: 2024-09-13."}],"event":{"name":"ASE '24: 39th IEEE\/ACM International Conference on Automated Software Engineering","location":"Sacramento CA USA","acronym":"ASE '24","sponsor":["SIGAI ACM Special Interest Group on Artificial Intelligence","SIGSOFT ACM Special Interest Group on Software Engineering","IEEE CS"]},"container-title":["Proceedings of the 39th IEEE\/ACM International Conference on Automated Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3691620.3695271","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3691620.3695271","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T00:04:07Z","timestamp":1750291447000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3691620.3695271"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,10,27]]},"references-count":92,"alternative-id":["10.1145\/3691620.3695271","10.1145\/3691620"],"URL":"https:\/\/doi.org\/10.1145\/3691620.3695271","relation":{},"subject":[],"published":{"date-parts":[[2024,10,27]]},"assertion":[{"value":"2024-10-27","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}