Cybersecurity researchers have uncovered a critical vulnerability in the artificial intelligence supply chain that enables attackers to achieve remote code execution across major cloud platforms including Microsoft Azure AI Foundry, Google Vertex AI, and thousands of open-source projects.<\/p>\n
The newly discovered attack method, termed \u201cModel Namespace Reuse,\u201d exploits a fundamental flaw in how AI platforms manage and trust model identifiers within the Hugging Face ecosystem.<\/p>\n
The vulnerability stems from Hugging Face\u2019s namespace management system, where models are identified using a two-part naming convention: Author\/ModelName.<\/p>\n
When organizations or authors delete their accounts from Hugging Face, their unique namespaces return to an available pool rather than becoming permanently reserved.<\/p>\n
This creates an opportunity for malicious actors to register previously used namespaces and upload compromised models under trusted names, potentially affecting any system that references models by name alone.<\/p>\n
Palo Alto Networks analysts identified<\/a> this supply chain attack vector during an extensive investigation of AI platform security practices.<\/p>\n The research revealed that the vulnerability affects not only direct integrations with Hugging Face<\/a> but also extends to major cloud AI services that incorporate Hugging Face models into their catalogs.<\/p>\n The attack\u2019s scope is particularly concerning given the widespread adoption of AI models across enterprise environments and the implicit trust placed in model naming conventions.<\/p>\n The attack mechanism operates through two primary scenarios. In the first, when a model author\u2019s account is deleted, the namespace becomes immediately available for re-registration.<\/p>\n The second scenario involves ownership transfers where models are moved to new organizations, followed by deletion of the original author account.<\/p>\n In both cases, malicious actors can exploit the namespace reuse to substitute legitimate models with compromised versions containing malicious payloads.<\/p>\n The researchers demonstrated the vulnerability\u2019s practical impact through controlled proof-of-concept attacks against Google Vertex AI and Microsoft Azure AI Foundry.<\/p>\n In their testing, they successfully registered abandoned namespaces and uploaded models embedded with reverse shell payloads.<\/p>\n The malicious code executed automatically when cloud platforms deployed these seemingly legitimate models<\/a>, granting attackers access to underlying infrastructure.<\/p>\n The attack\u2019s effectiveness lies in its exploitation of automated deployment processes. When platforms like Vertex AI\u2019s Model Garden or Azure AI Foundry\u2019s Model Catalog reference models by name, they inadvertently create persistent attack surfaces.<\/p>\n The researchers documented gaining access to dedicated containers with elevated permissions within Google Cloud<\/a> Platform and Azure environments, demonstrating the severity of potential breaches.<\/p>\n Organizations can mitigate this risk through version pinning, implementing the revision parameter to lock models to specific commits, and establishing controlled storage environments for critical AI assets.<\/p>\n The discovery underscores the urgent need for comprehensive security frameworks<\/a> addressing AI supply chain vulnerabilities as organizations increasingly integrate machine learning capabilities into production systems.<\/p>\n The post New Namespace Reuse Vulnerability Allows Remote Code Execution in Microsoft Azure AI, Google Vertex AI, and Hugging Face<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgw2xC1dR9vXG-g4vkCFwRvKoZqs3ZlyV7iDapi4N8LNqc_H0V-08CKp7Krr0n2pnKlSAhvMpiY9UHk5v2gM_3hz-iGX8myGAOQ1fVHgPCpu_Cth0L3T6Xz_bEkD4KaHTxLeKDLCApLxzUPwezSSKPXu-CTVWMwX3GjvFKFXXAkJqh-fcodRZHvsS8Xuu4\/s16000\/High-level%2520view%2520of%2520the%2520attack%2520vector%2520flow%2520%28Source%2520-%2520Palo%2520Alto%2520Networks%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjHVy3U4xlHfenUh9jmAqbfpNLJ0-swUJu6mtBQAjEvU6MFe4Wp-bIrZM7ZWi6HATfJy01xZOGxFXI_yxZ70fkDuAJUEG3alNFdYM773XQAXwOYd1VWJaUpwcPY-vrC3Av_aFnxc90MHSyzLelDbc8CwmxOCKtiekid2UMhMMtC7pT7S1vfM9n1MfMWK-0\/s16000\/Variety%2520of%2520Hugging%2520Face%2520models%2520in%2520AI%2520Foundry%2520%28Source%2520-%2520Palo%2520Alto%2520Networks%29.webp?ssl=1\")
Technical Implementation and Attack Vectors<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhvhpavFO_2Yd67WnC7l86BGDTIlOgIU49NCscZj3Ddidgvmdl6sZeu71fU3YFvYtRD3s6956LyxSPD0CFEWEkUmdefT1g0r6FZUx5rOtqGsyUhpDlcRBSWaszrK6LU3sR7_FuIsL9e7HX8DEM25DwpDMwkD4MU0myxrbvOFkWP0r4qo4MlOBlLpQXlAMY\/s16000\/Deploying%2520a%2520model%2520from%2520Hugging%2520Face%2520to%2520Vertex%2520AI%2520%28Source%2520-%2520Palo%2520Alto%2520Networks%29.webp?ssl=1\")
from transformers import AutoTokenizer, AutoModelForCausalLM\n\n# Vulnerable code pattern found in thousands of repositories\ntokenizer = AutoTokenizer.from_pretrained(\"AIOrg\/Translator_v1\")\nmodel = AutoModelForCausalLM.from_pretrained(\"AIOrg\/Translator_v1\")<\/code><\/pre>\nBoost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n