{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:32:08Z","timestamp":1766442728244,"version":"3.48.0"},"publisher-location":"New York, NY, USA","reference-count":108,"publisher":"ACM","license":[{"start":{"date-parts":[[2026,11,22]],"date-time":"2026-11-22T00:00:00Z","timestamp":1795305600000},"content-version":"vor","delay-in-days":368,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-2238467"],"award-info":[{"award-number":["CNS-2238467"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3765037","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:42:02Z","timestamp":1763854922000},"page":"3341-3355","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["P\n                    <scp>ickle<\/scp>\n                    B\n                    <scp>all<\/scp>\n                    : Secure Deserialization of Pickle-based Machine Learning Models"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-8763-2400","authenticated-orcid":false,"given":"Andreas D.","family":"Kellas","sequence":"first","affiliation":[{"name":"Columbia University, New York, NY, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7335-9485","authenticated-orcid":false,"given":"Neophytos","family":"Christou","sequence":"additional","affiliation":[{"name":"Brown University, Providence, RI, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2608-8576","authenticated-orcid":false,"given":"Wenxin","family":"Jiang","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, IN, USA and Socket, Wilmington, DE, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3077-5697","authenticated-orcid":false,"given":"Penghui","family":"Li","sequence":"additional","affiliation":[{"name":"Columbia University, New York, NY, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7893-547X","authenticated-orcid":false,"given":"Laurent","family":"Simon","sequence":"additional","affiliation":[{"name":"Google, Mountain View, CA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1630-7723","authenticated-orcid":false,"given":"Yaniv","family":"David","sequence":"additional","affiliation":[{"name":"Technion, Haifa, Israel"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6528-437X","authenticated-orcid":false,"given":"Vasileios P.","family":"Kemerlis","sequence":"additional","affiliation":[{"name":"Brown University, Providence, RI, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2495-686X","authenticated-orcid":false,"given":"James C.","family":"Davis","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, IN, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-2277-6545","authenticated-orcid":false,"given":"Junfeng","family":"Yang","sequence":"additional","affiliation":[{"name":"Columbia University, New York, NY, USA"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"2025. ModelScope. https:\/\/www.modelscope.cn\/home."},{"key":"e_1_3_2_2_2_1","unstructured":"2025. ONNX Model Zoo. https:\/\/onnx.ai\/models\/."},{"key":"e_1_3_2_2_3_1","unstructured":"2025. PyTorch Hub for Researchers. https:\/\/pytorch.org\/hub\/."},{"key":"e_1_3_2_2_4_1","unstructured":"2025. Qualcomm AI Hub. https:\/\/aihub.qualcomm.com\/models."},{"key":"e_1_3_2_2_5_1","unstructured":"2025. TensorFlow Models and Datasets. https:\/\/www.tensorflow.org\/resources\/ models-datasets."},{"key":"e_1_3_2_2_6_1","unstructured":"Mart\u00edn Abadi Ashish Agarwal Paul Barham Eugene Brevdo Zhifeng Chen Craig Citro Greg S. Corrado Andy Davis Jeffrey Dean Matthieu Devin Sanjay Ghemawat Ian Goodfellow Andrew Harp Geoffrey Irving Michael Isard Yangqing Jia Rafal Jozefowicz Lukasz Kaiser Manjunath Kudlur Josh Levenberg Dandelion Man\u00e9 Rajat Monga Sherry Moore Derek Murray Chris Olah Mike Schuster Jonathon Shlens Benoit Steiner Ilya Sutskever Kunal Talwar Paul Tucker Vincent Vanhoucke Vijay Vasudevan Fernanda Vi\u00e9gas Oriol Vinyals Pete Warden Martin Wattenberg Martin Wicke Yuan Yu and Xiaoqiang Zheng. 2015. TensorFlow: Large-Scale Machine Learning on Heterogeneous Systems. https:\/\/www.tensorflow.org\/"},{"key":"e_1_3_2_2_7_1","unstructured":"Protect AI. 2024. modelscan. https:\/\/github.com\/protectai\/modelscan. commit: 81338386b669526c14b839e7ccc36c160cd53b88."},{"key":"e_1_3_2_2_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/SANER56733.2023.00080"},{"key":"e_1_3_2_2_9_1","volume-title":"International Python Conference","author":"Aycock John","year":"2000","unstructured":"John Aycock. 2000. International Python Conference (2000)."},{"key":"e_1_3_2_2_10_1","volume-title":"Chris Leary, Dougal Maclaurin, George Necula, Adam Paszke, Jake VanderPlas, Skye Wanderman-Milne, and Qiao Zhang.","author":"Bradbury James","year":"2018","unstructured":"James Bradbury, Roy Frostig, Peter Hawkins, Matthew James Johnson, Chris Leary, Dougal Maclaurin, George Necula, Adam Paszke, Jake VanderPlas, Skye Wanderman-Milne, and Qiao Zhang. 2018. JAX: composable transformations of PythonNumPy programs. http:\/\/github.com\/jax-ml\/jax."},{"key":"e_1_3_2_2_11_1","unstructured":"Jose Camacho-Collados Kiamehr Rezaee Talayeh Riahi Asahi Ushio Daniel Loureiro Dimosthenis Antypas Joanne Boisson Luis Espinosa-Anke Fangyu Liu Eugenio Mart\u00ednez-C\u00e1mara et al. 2025. Python library tweetnlp provides a collection of useful tools to analyze\/understand tweets such as sentiment analysis etc. https:\/\/github.com\/cardiffnlp\/tweetnlp."},{"key":"e_1_3_2_2_12_1","unstructured":"Beatrice Casey Joanna C. S. Santos and Mehdi Mirakhorli. 2024. A Large-Scale Exploit Instrumentation Study of AI\/ML Supply Chain Attacks in Hugging Face Models. arXiv:2410.04490 [cs.CR] https:\/\/arxiv.org\/abs\/2410.04490"},{"key":"e_1_3_2_2_13_1","unstructured":"Walker Chabbott and James Fletcher. 2023. Multi-repository variant analysis: a powerful new way to perform security research across GitHub. https:\/\/github.blog\/security\/vulnerability-research\/multi-repository-variantanalysis- a-powerful-new-way-to-perform-security-research-across-github\/"},{"key":"e_1_3_2_2_14_1","volume-title":"Emerging trends: A gentle introduction to fine-tuning. Natural Language Engineering 27, 6","author":"Church Kenneth Ward","year":"2021","unstructured":"Kenneth Ward Church, Zeyu Chen, and Yanjun Ma. 2021. Emerging trends: A gentle introduction to fine-tuning. Natural Language Engineering 27, 6 (2021)."},{"key":"e_1_3_2_2_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/SaTML59370.2024.00024"},{"key":"e_1_3_2_2_16_1","unstructured":"David Cohen. 2024. Data Scientists Targeted by Malicious Hugging Face ML Models with Silent Backdoor. https:\/\/jfrog.com\/blog\/data-scientists-targetedby- malicious-hugging-face-ml-models-with-silent-backdoor\/"},{"key":"e_1_3_2_2_17_1","unstructured":"ColdwaterQ. 2022. BACKDOORING Pickles: A decade only made things worse. https:\/\/forum.defcon.org\/node\/241825."},{"key":"e_1_3_2_2_18_1","unstructured":"coldwaterq. 2024. GitHub Issue: Fickling DoS. https:\/\/github.com\/trailofbits\/fic kling\/issues\/111."},{"key":"e_1_3_2_2_19_1","unstructured":"Conch. 2025. A Vision-Language Foundation Model for Computational Pathology. https:\/\/github.com\/mahmoodlab\/CONCH\/."},{"key":"e_1_3_2_2_20_1","unstructured":"Fredrik Dahlgren Suha Hussain Heidy Khlaaf and Evan Sultanik. 2023. EleutherAI Hugging Face Safetensors Library. Technical Report. Trail of Bits."},{"key":"e_1_3_2_2_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660363"},{"key":"e_1_3_2_2_22_1","volume-title":"Parrot: Paraphrase generation for NLU. https: \/\/github.com\/PrithivirajDamodaran\/Parrot_Paraphraser\/.","author":"Damodaran Prithiviraj","year":"2025","unstructured":"Prithiviraj Damodaran. 2025. Parrot: Paraphrase generation for NLU. https: \/\/github.com\/PrithivirajDamodaran\/Parrot_Paraphraser\/."},{"key":"e_1_3_2_2_23_1","volume-title":"Sleepy Pickle: Exploit Subtly Poisons ML Models. https:\/\/www.darkreading.com\/threat-intelligence\/sleepy-pickle-exploitsubtly- poisons-ml-models","author":"Staff Dark Reading","year":"2024","unstructured":"Dark Reading Staff. 2024. Sleepy Pickle: Exploit Subtly Poisons ML Models. https:\/\/www.darkreading.com\/threat-intelligence\/sleepy-pickle-exploitsubtly- poisons-ml-models"},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2024.241015"},{"key":"e_1_3_2_2_25_1","volume-title":"A Guide to Stakeholder Analysis for Cybersecurity Researchers. arXiv preprint arXiv:2508.14796v1","author":"Davis James C","year":"2025","unstructured":"James C Davis, Sophie Chen, Huiyun Peng, Paschal C Amusuo, and Kelechi G Kalu. 2025. A Guide to Stakeholder Analysis for Cybersecurity Researchers. arXiv preprint arXiv:2508.14796v1 (2025)."},{"key":"e_1_3_2_2_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/JVA60410.2023.00015"},{"key":"e_1_3_2_2_27_1","unstructured":"deepseek ai. 2025. DeepSeek-R1-Distill-Qwen-32B. https:\/\/huggingf ace.co\/deepseek-ai\/DeepSeek-R1-Distill-Qwen-32B. commit: 711ad2ea6aa40cfca18895e8aca02ab92df1a746."},{"key":"e_1_3_2_2_28_1","unstructured":"Universal Dependencies. 2025. Universal Dependencies. https:\/\/universaldepen dencies.org\/."},{"key":"e_1_3_2_2_29_1","unstructured":"Abhimanyu Dubey Abhinav Jauhri Abhinav Pandey Abhishek Kadian Ahmad Al-Dahle Aiesha Letman Akhil Mathur Alan Schelten Amy Yang Angela Fan et al. 2024. The llama 3 herd of models. arXiv preprint arXiv:2407.21783 (2024)."},{"key":"e_1_3_2_2_30_1","unstructured":"Nelson Elhage. 2023. What's with ML software and pickles? https:\/\/blog.nelha ge.com\/post\/pickles-and-ml\/."},{"key":"e_1_3_2_2_31_1","unstructured":"eugenesiow et al. 2025. Image super resolution models for PyTorch. https: \/\/github.com\/eugenesiow\/super-image\/."},{"volume-title":"BGE: One-Stop Retrieval Toolkit For Search and RAG. https:\/\/github.com\/FlagOpen\/FlagEmbedding.","year":"2025","key":"e_1_3_2_2_32_1","unstructured":"FlagEmbedding. 2025. BGE: One-Stop Retrieval Toolkit For Search and RAG. https:\/\/github.com\/FlagOpen\/FlagEmbedding."},{"key":"e_1_3_2_2_33_1","unstructured":"Flair. 2024. ner-english-fast. https:\/\/huggingface.co\/flair\/ner-english-fast. commit: f75577be7dbb6f47ea7681664560349e870aef18."},{"key":"e_1_3_2_2_34_1","unstructured":"Flair. 2025. How to load a prepared dataset. https:\/\/flairnlp.github.io\/docs\/tutor ial-training\/how-to-load-prepared-dataset."},{"key":"e_1_3_2_2_35_1","volume-title":"Recognition and Speaker Diarization in Conference Scenario. CoRR abs\/2104","author":"Fu Yihui","year":"2021","unstructured":"Yihui Fu, Luyao Cheng, Shubo Lv, Yukai Jv, Yuxiang Kong, Zhuo Chen, Yanxin Hu, Lei Xie, Jian Wu, Hui Bu, Xin Xu, Jun Du, and Jingdong Chen. 2021. AISHELL-4: An Open Source Dataset for Speech Enhancement, Separation, Recognition and Speaker Diarization in Conference Scenario. CoRR abs\/2104.03603 (2021). arXiv:2104.03603 https:\/\/arxiv.org\/abs\/2104.03603"},{"key":"e_1_3_2_2_36_1","unstructured":"GGML. 2025. GGUF. https:\/\/github.com\/ggml-org\/ggml\/blob\/master\/docs\/gguf.md."},{"volume-title":"6th Symposium on Dynamic Languages. Association for Computing Machinery","author":"Gorbovitski Michael","key":"e_1_3_2_2_37_1","unstructured":"Michael Gorbovitski, Yanhong A. Liu, Scott D. Stoller, Tom Rothamel, and Tuncay K. Tekle. 2010. Alias analysis for optimization of dynamic languages. In 6th Symposium on Dynamic Languages. Association for Computing Machinery, New York, NY, USA, 27--42."},{"key":"e_1_3_2_2_38_1","volume-title":"Badnets: Evaluating backdooring attacks on deep neural networks","author":"Gu Tianyu","year":"2019","unstructured":"Tianyu Gu, Kang Liu, Brendan Dolan-Gavitt, and Siddharth Garg. 2019. Badnets: Evaluating backdooring attacks on deep neural networks. IEEE Access 7 (2019)."},{"key":"e_1_3_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.aiopen.2021.08.002"},{"key":"e_1_3_2_2_40_1","volume-title":"Pain Pickle: Bypassing Python Restricted Unpickler for Automatic Exploit Generation. In 2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS). 1079--1090","author":"Huang Nan-Jung","year":"2022","unstructured":"Nan-Jung Huang, Chih-Jen Huang, and Shih-Kun Huang. 2022. Pain Pickle: Bypassing Python Restricted Unpickler for Automatic Exploit Generation. In 2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS). 1079--1090."},{"key":"e_1_3_2_2_41_1","unstructured":"Hugging Face. 2024. Pickle Scanning. https:\/\/huggingface.co\/docs\/hub\/en\/sec urity-pickle."},{"key":"e_1_3_2_2_42_1","unstructured":"Hugging Face. 2024. Safetensors. https:\/\/huggingface.co\/docs\/safetensors."},{"key":"e_1_3_2_2_43_1","unstructured":"Hugging Face. 2025. GGUF. https:\/\/huggingface.co\/docs\/hub\/en\/gguf."},{"key":"e_1_3_2_2_44_1","unstructured":"Hugging Face. 2025. Hugging Face Hub documentation. https:\/\/huggingface.co \/docs\/hub\/en\/index."},{"key":"e_1_3_2_2_45_1","unstructured":"Hugging Sound. 2025. HuggingSound: A toolkit for speech-related tasks based on Hugging Face's tools. https:\/\/github.com\/jonatasgrosman\/huggingsound."},{"key":"e_1_3_2_2_46_1","unstructured":"Ilya-bs1. 2025. llama4-scout-interpreter-model. https: \/\/huggingf ace.co\/Ilya - bs1\/llama4 -scout-interpreter-model.commit: d61cd8c577fcce5910f990718346034d710932c1."},{"key":"e_1_3_2_2_47_1","volume-title":"Interoperability in Deep Learning: A User Survey and Failure Analysis of ONNX Model Converters. In 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis. 1466--1478","author":"Jajal Purvish","year":"2024","unstructured":"Purvish Jajal, Wenxin Jiang, Arav Tewari, Erik Kocinare, Joseph Woo, Anusha Sarraf, Yung-Hsiang Lu, George K Thiruvathukal, and James C Davis. 2024. Interoperability in Deep Learning: A User Survey and Failure Analysis of ONNX Model Converters. In 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis. 1466--1478."},{"key":"e_1_3_2_2_48_1","volume-title":"Detecting Active and Stealthy Typosquatting Threats in Package Registries. arXiv preprint arXiv:2502.20528","author":"Jiang Wenxin","year":"2025","unstructured":"Wenxin Jiang, Berk \u00c7akar, Mikola Lysenko, and James C Davis. 2025. Detecting Active and Stealthy Typosquatting Threats in Package Registries. arXiv preprint arXiv:2502.20528 (2025)."},{"key":"e_1_3_2_2_49_1","volume-title":"Naming Practices of Pre-Trained Models in Hugging Face. arXiv preprint arXiv:2310.01642","author":"Jiang Wenxin","year":"2024","unstructured":"Wenxin Jiang, Chingwo Cheung, Mingyu Kim, Heesoo Kim, George K Thiruvathukal, and James C Davis. 2024. Naming Practices of Pre-Trained Models in Hugging Face. arXiv preprint arXiv:2310.01642 (2024)."},{"key":"e_1_3_2_2_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00206"},{"key":"e_1_3_2_2_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSR59073.2023.00021"},{"key":"e_1_3_2_2_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/3560835.3564547"},{"key":"e_1_3_2_2_53_1","unstructured":"Kaitai Project. 2025. Python pickle serialization format: format specification. http:\/\/formats.kaitai.io\/python_pickle\/."},{"key":"e_1_3_2_2_54_1","unstructured":"Andreas D. Kellas Neophytos Christou Wenxin Jiang Penghui Li Laurent Simon Yaniv David Vasileios P. Kemerlis James C. Davis and Junfeng Yang. 2025. PickleBall: Secure Deserialization of Pickle-based Machine Learning Models (Extended Report). (2025). arXiv:2508.15987 [cs.CR] https:\/\/arxiv.org\/abs\/2508.15987"},{"key":"e_1_3_2_2_55_1","unstructured":"Language Bind. 2025. Extending Video-Language Pretraining to N-modality by Language-based Semantic Alignment. https:\/\/github.com\/PKU-YuanGroup\/LanguageBind\/."},{"key":"e_1_3_2_2_56_1","volume-title":"31st USENIX Security Symposium (SEC '22)","author":"Li Song","year":"2022","unstructured":"Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao. 2022. Mining Node.js Vulnerabilities via Object Dependence Graph and Query. https:\/\/www.usenix.o rg\/conference\/usenixsecurity22\/presentation\/li-song. In 31st USENIX Security Symposium (SEC '22). USENIX Association, Boston, MA, 143--160."},{"key":"e_1_3_2_2_57_1","volume-title":"Microsoft COCO: Common Objects in Context. CoRR abs\/1405.0312","author":"Lin Tsung-Yi","year":"2014","unstructured":"Tsung-Yi Lin, Michael Maire, Serge J. Belongie, Lubomir D. Bourdev, Ross B. Girshick, James Hays, Pietro Perona, Deva Ramanan, Piotr Doll\u00e1r, and C. Lawrence Zitnick. 2014. Microsoft COCO: Common Objects in Context. CoRR abs\/1405.0312 (2014). arXiv:1405.0312 http:\/\/arxiv.org\/abs\/1405.0312"},{"key":"e_1_3_2_2_58_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Liu Guannan","year":"2022","unstructured":"Guannan Liu, Xing Gao, Haining Wang, and Kun Sun. 2022. Exploring the Unchartered Space of Container Registry Typosquatting. https:\/\/www.usenix .org\/conference\/usenixsecurity22\/presentation\/liu-guannan. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, 35--51."},{"key":"e_1_3_2_2_59_1","unstructured":"Tong Liu Guozhu Meng Peng Zhou Zizhuang Deng Shuaiyin Yao and Kai Chen. 2025. The Art of Hide and Seek: Making Pickle-Based Model Supply Chain Poisoning Stealthy Again. arXiv:2508.19774 [cs.CR] https:\/\/arxiv.org\/abs\/2508.19774"},{"key":"e_1_3_2_2_60_1","unstructured":"madilcy. 2025. arabic-medical-llama4. https:\/\/huggingface.co\/madilcy\/arabicmedical-llama4.commit: 826ac2b97a5724aba87ceeb9001aebeb1300b7d5."},{"key":"e_1_3_2_2_61_1","unstructured":"meta llama. 2024. Llama-3.1--8B-Instruct - original\/. https:\/\/huggingface.co\/meta-llama\/Llama-3.1--8B-Instruct\/tree\/main\/original.commit:0e9e39f249a16976918f6564b8830bc894c89659."},{"key":"e_1_3_2_2_62_1","unstructured":"meta llama. 2025. Llama-4-Scout-17B-16E-Instruct. https:\/\/huggingf ace.co\/meta- llama\/Llama-4-Scout-17B-16E-Instruct.commit: 92f3b1597a195b523d8d9e5700e57e4fbb8f20d3."},{"key":"e_1_3_2_2_63_1","unstructured":"MIT and Myshell.ai. 2025. MeloTTS is a high-quality multi-lingual text-to-speech library. https:\/\/github.com\/myshell-ai\/MeloTTS\/."},{"key":"e_1_3_2_2_64_1","volume-title":"Seventh IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM","author":"de Moor Oege","year":"2007","unstructured":"Oege de Moor, Mathieu Verbaere, Elnar Hajiyev, Pavel Avgustinov, Torbjorn Ekman, Neil Ongkingco, Damien Sereni, and Julian Tibble. 2007. Keynote Address: .QL for Source Code Analysis. In Seventh IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM 2007). 3--16."},{"key":"e_1_3_2_2_65_1","volume-title":"32nd USENIX Security Symposium (USENIX Security).","author":"Neupane Shradha","year":"2023","unstructured":"Shradha Neupane, Grant Holmes, Elizabeth Wyss, Drew Davidson, and Lorenzo De Carli. 2023. Beyond Typosquatting: An In-depth Look at Package Confusion. https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentat ion\/neupane. In 32nd USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_2_66_1","unstructured":"Humboldt University of Berlin and friends. 2025. A very simple framework for state-of-the-art NLP. https:\/\/github.com\/flairNLP\/flair."},{"key":"e_1_3_2_2_67_1","unstructured":"Trail of Bits. 2024. fickling. https:\/\/github.com\/trailofbits\/fickling."},{"key":"e_1_3_2_2_68_1","volume-title":"DIMVA 2020","author":"Ohm Marc","year":"2020","unstructured":"Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier. 2020. Backstabber's knife collection: A review of open source software supply chain attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment: 17th International Conference, DIMVA 2020, Lisbon, Portugal, June 24--26, 2020. Springer."},{"key":"e_1_3_2_2_69_1","volume-title":"FUGIO: Automatic Exploit Generation for PHP Object Injection Vulnerabilities. In 31st USENIX Security Symposium (USENIX Security 22)","author":"Park Sunnyeo","year":"2022","unstructured":"Sunnyeo Park, Daejun Kim, Suman Jana, and Sooel Son. 2022. FUGIO: Automatic Exploit Generation for PHP Object Injection Vulnerabilities. In 31st USENIX Security Symposium (USENIX Security 22). 197--214."},{"key":"e_1_3_2_2_70_1","unstructured":"Adam Paszke Sam Gross Soumith Chintala Gregory Chanan Edward Yang Zachary DeVito Zeming Lin Alban Desmaison Luca Antiga and Adam Lerer. 2017. Automatic differentiation in PyTorch. (2017)."},{"key":"e_1_3_2_2_71_1","unstructured":"Patry Nicolas and Biderman Stella. 2023. Audit shows that safetensors is safe and ready to become the default. https:\/\/huggingface.co\/blog\/safetensorssecurity-audit."},{"key":"e_1_3_2_2_72_1","volume-title":"Carbon emissions and large neural network training. arXiv preprint arXiv:2104.10350","author":"Patterson David","year":"2021","unstructured":"David Patterson, Joseph Gonzalez, Quoc Le, Chen Liang, Lluis-Miquel Munguia, Daniel Rothchild, David So, Maud Texier, and Jeff Dean. 2021. Carbon emissions and large neural network training. arXiv preprint arXiv:2104.10350 (2021)."},{"key":"e_1_3_2_2_73_1","unstructured":"Protect AI. 2024. Protect AI and Hugging Face: Securing the ML Supply Chain. https:\/\/protectai.com\/blog\/protect-ai-hugging-face-ml-supply-chain."},{"key":"e_1_3_2_2_74_1","unstructured":"pyannoteAI. 2025. pyannote.audio speaker diarization toolkit. https:\/\/github.com\/pyannote\/pyannote-audio."},{"key":"e_1_3_2_2_75_1","unstructured":"Python. 2025. pickle \u2014 Python object serialization. https:\/\/docs.python.org\/3\/li brary\/pickle.html."},{"key":"e_1_3_2_2_76_1","unstructured":"Python. 2025. Python Glossary -- Callable. https:\/\/docs.python.org\/3\/glossary.html#term-callable."},{"key":"e_1_3_2_2_77_1","unstructured":"PyTorch. 2024. PyTorch serialization.py. https:\/\/github.com\/pytorch\/pytorch\/blob\/726424f4deac82b7cd74cc86a55c610085698535\/torch\/serialization.py#L6."},{"key":"e_1_3_2_2_78_1","unstructured":"PyTorch. 2024. TorchScript. https:\/\/pytorch.org\/docs\/stable\/jit.html."},{"key":"e_1_3_2_2_79_1","unstructured":"PyTorch. 2024. Weights-only Unpickler. https:\/\/github.com\/pytorch\/pytorch\/blob\/main\/torch\/_weights_only_unpickler.py."},{"key":"e_1_3_2_2_80_1","unstructured":"PyTorch. 2025. PyTorch Commit 66dc8fb. https:\/\/github.com\/pytorch\/pytorch\/commit\/66dc8fb7ff822033c4b161fc216e21d6886568c7."},{"key":"e_1_3_2_2_81_1","unstructured":"PyTorch. 2025. Serialization semantics. https:\/\/github.com\/pytorch\/pytorch\/blob\/eb2df46b6af691cc13abfc8435c33963b30c7cb1\/docs\/source\/notes\/serialization.rst#torchload-with-weights_onlytrue."},{"key":"e_1_3_2_2_82_1","volume-title":"Dami\u00e1n A. Furman, Franco Luque, Laura Alonso Alemany, and Mar\u00eda Vanina Mart\u00ednez.","author":"P\u00e9rez Juan Manuel","year":"2025","unstructured":"Juan Manuel P\u00e9rez, Mariela Rajngewerc, Juan Carlos Giudici, Dami\u00e1n A. Furman, Franco Luque, Laura Alonso Alemany, and Mar\u00eda Vanina Mart\u00ednez. 2025. pysentimiento: A Python toolkit for Sentiment Analysis and Social NLP tasks. https:\/\/github.com\/pysentimiento\/pysentimiento."},{"key":"e_1_3_2_2_83_1","unstructured":"Qwen. 2025. Qwen3-0.6B. https:\/\/huggingface.co\/Qwen\/Qwen3-0.6B. commit: e6de91484c29aa9480d55605af694f39b081c455."},{"key":"e_1_3_2_2_84_1","volume-title":"Sentence Transformers: Embeddings, Retrieval, and Reranking. https:\/\/github.com\/UKPLab\/sentence-transformers\/.","author":"Reimers Nils","year":"2025","unstructured":"Nils Reimers and Iryna Gurevych. 2025. Sentence Transformers: Embeddings, Retrieval, and Reranking. https:\/\/github.com\/UKPLab\/sentence-transformers\/."},{"key":"e_1_3_2_2_85_1","unstructured":"sarahbadr. 2025. MNLP_M2_dpo_model. https:\/\/huggingface.co\/sarahbadr\/M NLP_M2_dpo_model. commit: 1d67b4e322ebe2613c45a950a71ef204f93d1562."},{"key":"e_1_3_2_2_86_1","doi-asserted-by":"publisher","DOI":"10.1145\/1707801.1706317"},{"key":"e_1_3_2_2_87_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597503.3639199"},{"key":"e_1_3_2_2_88_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510199"},{"key":"e_1_3_2_2_89_1","unstructured":"TarhanE. 2025. sft-base_loss-Qwen3-0.6B. https:\/\/huggingf ace.co\/T arhanE\/sft- base_loss-Qwen3- 0.6B-mle0- ul0- tox0- e4. commit: b2f51e83b726679bd64c9d34f3775e3d95b58a66."},{"key":"e_1_3_2_2_90_1","unstructured":"The HDF Group. 2025. HDF5. https:\/\/www.hdfgroup.org\/solutions\/hdf5\/."},{"key":"e_1_3_2_2_91_1","unstructured":"Trail of Bits. 2023. EleutherAl Hugging Face Safetensors Library Security Assessment. https:\/\/github.com\/trailofbits\/publications\/blob\/master\/reviews\/2023-03-eleutherai-huggingface-safetensors-securityreview.pdf."},{"key":"e_1_3_2_2_92_1","unstructured":"Adelin Travers. 2021. ONNX runtime hacks. https:\/\/github.com\/alkaet\/LobotoMl\/tree\/main\/ONNX_runtime_hacks"},{"key":"e_1_3_2_2_93_1","unstructured":"tttx. 2025. models-p10-ttt-18feb-fixed-sft-clip-step1. https:\/\/huggingface.co\/tttx\/models-p10-ttt-18feb-fixed-sft-clip-step1.commit: 0c3f92ef17faac10ad927bde668144f37cac0040."},{"key":"e_1_3_2_2_94_1","unstructured":"Dor Tumarkin. 2024. ''Free Hugs'' -- What to be Wary of in Hugging Face -- Part 4. https:\/\/checkmarx.com\/blog\/free-hugs-what-to-be-wary-of-in-huggingface-part-4\/"},{"key":"e_1_3_2_2_95_1","unstructured":"Ultralytics. 2025. Real-time object detection and image segmentation model. https:\/\/github.com\/ultralytics\/yolov5."},{"key":"e_1_3_2_2_96_1","unstructured":"Ultralytics. 2025. (SOTA) Real-time object detection and image segmentation model. https:\/\/github.com\/ultralytics\/ultralytics."},{"key":"e_1_3_2_2_97_1","unstructured":"Asahi Ushio and Jose Camacho-Collados. 2025. T-NER: An All-Round Python Library for Transformer-based Named Entity Recognition. https:\/\/github.com\/asahi417\/tner\/."},{"key":"e_1_3_2_2_98_1","volume-title":"Pre-trained language models and their applications. Engineering","author":"Wang Haifeng","year":"2022","unstructured":"Haifeng Wang, Jiwei Li, Hua Wu, Eduard Hovy, and Yu Sun. 2022. Pre-trained language models and their applications. Engineering (2022)."},{"key":"e_1_3_2_2_99_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102807"},{"key":"e_1_3_2_2_100_1","volume-title":"Machine Learning Threat Roundup","author":"Wickens Eoin","year":"2023","unstructured":"Eoin Wickens and Tom Bonner. 2024. Machine Learning Threat Roundup: February 2023: reverse shells and a steganography payload discovered in-thewild. https:\/\/hiddenlayer.com\/research\/machine-learning-threat-roundup\/"},{"key":"e_1_3_2_2_101_1","unstructured":"Eoin Wickens and Kasimir Schulz. 2024. Hijacking SafeTensors Conversion on Hugging Face. https:\/\/hiddenlayer.com\/research\/silent-sabotage\/"},{"key":"e_1_3_2_2_102_1","doi-asserted-by":"publisher","DOI":"10.1145\/2950290.2950343"},{"key":"e_1_3_2_2_103_1","volume-title":"Modeling and Discovering Vulnerabilities with Code Property Graphs. In 2014 IEEE Symposium on Security and Privacy. 590--604","author":"Yamaguchi Fabian","year":"2014","unstructured":"Fabian Yamaguchi, Nico Golde, Daniel Arp, and Konrad Rieck. 2014. Modeling and Discovering Vulnerabilities with Code Property Graphs. In 2014 IEEE Symposium on Security and Privacy. 590--604."},{"key":"e_1_3_2_2_104_1","unstructured":"Karlo Zanki. 2025. Malicious ML models discovered on Hugging Face platform. https:\/\/www.reversinglabs.com\/blog\/rl-identifies-malware-ml-model-hostedon-hugging-face"},{"key":"e_1_3_2_2_105_1","unstructured":"Urchade Zaratiana Nadi Tomeh Pierre Holat and Thierry Charnois. 2025. Generalist and Lightweight Model for Named Entity Recognition. https:\/\/github.com\/urchade\/GLiNER\/."},{"key":"e_1_3_2_2_106_1","volume-title":"Automatic Policy Synthesis and Enforcement for Protecting Untrusted Deserialization. In 2024 Network and Distributed System Security Symposium. Internet Society","author":"Zhang Quan","year":"2024","unstructured":"Quan Zhang, Yiwen Xu, Zijing Yin, Chijin Zhou, and Yu Jiang. 2024. Automatic Policy Synthesis and Enforcement for Protecting Untrusted Deserialization. In 2024 Network and Distributed System Security Symposium. Internet Society, San Diego, CA, USA."},{"key":"e_1_3_2_2_107_1","volume-title":"Models Are Codes: Towards Measuring Malicious Code Poisoning Attacks on Pre-trained Model Hubs. In IEEE\/ACM International Conference on Automated Software Engineering.","author":"Zhao Jian","year":"2024","unstructured":"Jian Zhao, Shenao Wang, Yanjie Zhao, Xinyi Hou, Kailong Wang, Peiming Gao, Yuanchao Zhang, Chen Wei, and Haoyu Wang. 2024. Models Are Codes: Towards Measuring Malicious Code Poisoning Attacks on Pre-trained Model Hubs. In IEEE\/ACM International Conference on Automated Software Engineering."},{"key":"e_1_3_2_2_108_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00012"}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Taipei Taiwan","acronym":"CCS '25"},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765037","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765037","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:28:30Z","timestamp":1766442510000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3765037"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":108,"alternative-id":["10.1145\/3719027.3765037","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3765037","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}