---
title: "Securing LLM dependencies against serialisation attacks"
description: "Learn how to secure LLM supply chains against serialization attacks. This guide explores why Python’s Pickle format is inherently insecure, demonstrates vulnerability scanning with Picklescan and Modelscan, and shows how to use Cloudsmith Rego policies to automate the blocking of malicious Hugging Face models."
canonical_url: "https://cloudsmith.com/blog/securing-llm-dependencies-against-serialisation-attacks"
last_updated: "2026-02-02T18:01:32.782Z"
---
# Securing LLM dependencies against serialisation attacks

At the time of writing, there are over [**2.5 million models**](https://huggingface.co/models) hosted on Hugging Face. While this democratisation of AI is changing how all work and develop with AI, it also introduces a massive supply chain risk. Every time a developer runs [**from_pretrained()**](https://huggingface.co/docs/transformers/en/models), they are essentially pulling an opaque blob of data from a public registry.



The core of the issue? We often don't know the provenance of these models, their true licensing constraints, or (most importantly) what code is tucked inside their weight files.



### **What is a Pickle and why is it dangerous?**

In the Python ecosystem, [**Pickling**](https://docs.python.org/3/library/pickle.html) is the standard way to serialise object structures into binary. In machine learning, it is the default format for [**PyTorch**](https://pytorch.org/) weights (`.pt`, `.pth`, `.bin`).



However, the Pickle protocol is not just a data format; it is a stack-based virtual machine. When you [**unpickle**](https://stackabuse.com/how-to-pickle-and-unpickle-objects-in-python/) a file, you aren't just reading data, you’re also executing a sequence of instructions ([**opcodes**](https://en.wikipedia.org/wiki/Opcode)).

****

**The Security Flaw: **Pickle was never designed to be secure against erroneous or maliciously constructed data. A malicious actor can craft a pickle file that, when opened, executes arbitrary code on your machine, like opening a reverse shell or exfiltrating environment variables.



### **Visualising the attack with Picklescan**

You can see this in action using open-source tools like [**picklescan**](https://github.com/mmaitre314/picklescan). By scanning a known dummy malicious model ([**ykilcher/totally-harmless-model**](https://huggingface.co/ykilcher/totally-harmless-model/blob/main/pytorch_model.bin)), we can see exactly where the trap was set.



Again, this is a dummy model. It’s not actually malicious. To my knowledge it doesn’t do anything. This is purely to demonstrate what a picklescan is looking for:



```json
{
  "_key": "9425c7f64414",
  "_type": "code",
  "code": "pip install picklescan\npicklescan --huggingface ykilcher/totally-harmless-model",
  "filename": null,
  "language": "bash",
  "markDefs": null
}
```

**The Result:** The scanner identifies a _dangerous global_: the model is calling [**eval()**](https://www.geeksforgeeks.org/python/eval-in-python/) during the load process, which executes the arbitrary code. This is the smoking gun of a serialisation attack. 



Outputs look like this:

```json
{
  "_key": "84799fd0f68e",
  "_type": "code",
  "code": "https://huggingface.co/ykilcher/totally-harmless-model/resolve/main/pytorch_model.bin:archive/data.pkl: global import '__builtin__ eval' FOUND\n----------- SCAN SUMMARY -----------\nScanned files: 1\nInfected files: 1\nDangerous globals: 1",
  "filename": null,
  "language": "bash",
  "markDefs": null
}
```

The scanner can also load Pickles from local files, directories, URLs, and zip archives.



For the purpose of demonstration, let’s scan the [**pytorch_model.bin**](https://huggingface.co/sshleifer/tiny-distilbert-base-cased-distilled-squad/blob/main/pytorch_model.bin) file associated with the [**sshleifer/tiny-distilbert-base-cased-distilled-squad**](https://huggingface.co/zai-org/GLM-4.7) model on Hugging Face:



```json
{
  "_key": "8b2d62213a36",
  "_type": "code",
  "code": "picklescan --url https://huggingface.co/sshleifer/tiny-distilbert-base-cased-distilled-squad/resolve/main/pytorch_model.bin",
  "filename": null,
  "language": "bash",
  "markDefs": null
}
```



### **Preventing model serialisation attacks with Modelscan**

As discussed above, ML models are shared publicly over the internet, within and across teams. The rise of Foundation Models resulted in increasing consumption and further training/fine tuning of public ML models. Because developers use ML models to make critical decisions and power mission-critical applications, it makes sense that there would be more than one open-source scanning option, especially when vulnerabilities can appear in other scanners such as [**Picklescan**](https://www.scworld.com/brief/ai-models-threatened-by-critical-picklescan-zero-days).



[**Modelscan**](https://github.com/protectai/modelscan) is an open source project from [**Protect AI**](https://huggingface.co/docs/hub/en/security-protectai) that scans models to determine if they contain unsafe code. It is the first model scanning tool to support multiple model formats. ModelScan currently supports: **H5**, **Pickle**, and **SavedModel** formats. This protects you when using [**PyTorch**](https://pypi.org/project/pytorch/), [**TensorFlow**](https://pypi.org/project/tensorflow/), [**Keras**](https://pypi.org/project/keras/), [**Sklearn**](https://pypi.org/project/sklearn/), [**XGBoost**](https://pypi.org/project/xgboost/), with more on the way.



```json
{
  "_key": "f52702f4c559",
  "_type": "code",
  "code": "pip install modelscan\nmodelscan -p ~/.cache/huggingface/hub --show-skipped",
  "filename": null,
  "language": "bash",
  "markDefs": null
}
```



Scanning the entire local Hugging Face cache on my Macbook with Modelscan showed nothing suspicious when I scanned the original [**ykilcher**](https://huggingface.co/ykilcher)’s Totally Harmless Model we downloaded earlier.



```json
{
  "_key": "e9e0f37fb4fd",
  "_type": "image",
  "alt": "Output from running modelscan on fake (totally harmless) model",
  "asset": {
    "_createdAt": "2026-02-02T20:55:17Z",
    "_id": "image-f3cfc6ba838d88c0636b45b98d0eff79d2665eda-2252x1470-png",
    "_rev": "lcwUgfS09bLVGUN2s5NgAF",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2026-02-02T20:55:17Z",
    "assetId": "f3cfc6ba838d88c0636b45b98d0eff79d2665eda",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "V671$h%MIUozNF_Nt7IUayRj%Mj[RjayWBMxRjfRayof",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.5319727891156463,
        "height": 1470,
        "width": 2252
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAABYlAAAWJQFJUiTwAAACBUlEQVR4nH2T+3KaQBTGeZI0TSLKRUBEEQG5iaCioqKOJmNqm8nk/V/g6+xBqG0n+eM3Z3dYvt3vXDg7zuDEK/hJgWx9xv70gf3zB4rjO9aHN6yKCxbbC5bbCxabH5jnZ0xXL5hkJ/iTHfpOho6ZQOtPoBhjcHawhOUvMPCWsIMcbrSBE64pVms7zMsY5Bj6S5huRkLGcArFiCF1AohagJbqgRvFOZxoVR4cLehQx5xA7cVodyPIegiZxWqth6VAJ4Cg+uDbLp4kG0+ijUfRBudP14jmBWb5C/L9L6yKn2Qpnh0RJDt4cXHDFqPxll479Ff0SsUYo6mMwLcZLjgvzUkw25yxPb5jc3jDfP2KdPmMJDshmh5IuIKJMkHLW5Kg2ovJaiXK2dECzHaQ7uAnOzhBTtb7zpzQrZQSTphlZHmr0iFerQtXUa47TNGzZzDsGVVL0sP6RhZbys36FoUxql/WrCzTTd0ITdWjxD4IFu6bg5rvLYb1BYO/znKSHkDUAzxKNr7xZs0di40/+5L+P3vzP7iWFkDohHiUnetNJu55s46f/fjZN65txFD7CSRmu+2iIbtoSA4askP99SAMv8CiyKzXgl0rpaqywlAzG2X1WHFEzaeks4QT1yJUsCLwMmtsh/JHgmwq2CgxwdsJYbCJYO1Qo3kQa3wImk+V5uVS8K7Rw289O64kynjJwgAAAABJRU5ErkJggg==",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#1c2434",
          "foreground": "#fff",
          "population": 48.26,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#04142c",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#1c2434",
          "foreground": "#fff",
          "population": 48.26,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#bcbec5",
          "foreground": "#000",
          "population": 0.1,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#85b1f3",
          "foreground": "#000",
          "population": 0,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#7b8490",
          "foreground": "#fff",
          "population": 0.87,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#156ae9",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        }
      },
      "thumbHash": "TvcFBYB8eXefdneKdzeGeZ2vauC2"
    },
    "mimeType": "image/png",
    "originalFilename": "Screenshot 2026-02-02 at 20.52.00.png",
    "path": "images/rafvlnhi/production/f3cfc6ba838d88c0636b45b98d0eff79d2665eda-2252x1470.png",
    "sha1hash": "f3cfc6ba838d88c0636b45b98d0eff79d2665eda",
    "size": 361777,
    "uploadId": "LsFz0IOt6D4eYZ7KU6pnStNresUxJUkK",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/f3cfc6ba838d88c0636b45b98d0eff79d2665eda-2252x1470.png"
  },
  "caption": "Scan on ykilcher/totally-harmless-model on Hugging Face model",
  "link": {
    "_type": "link",
    "href": null,
    "openInNewTab": false
  },
  "markDefs": null
}
```



To test this, we create a simple **`make-bad-model.py`** file:

```json
{
  "_key": "f0c94aa42e03",
  "_type": "code",
  "code": "import pickle\nimport os\nimport webbrowser\n# --- 1. CRITICAL: Shell Access ---\nclass CriticalMalicious:\n    def __reduce__(self):\n        return (os.system, (\"echo 'CRITICAL DETECTED'\",))\n# --- 2. HIGH: Network/Browser Interaction ---\nclass HighRisk:\n    def __reduce__(self):\n        return (webbrowser.open, (\"http://malicious-site.com\",))\n# --- 3. MEDIUM: Unsafe Keras-style patterns ---\n# Note: Medium is often triggered by Lambda layers in .h5 files,\n# but using a non-standard global in Pickle often defaults to Medium.\nclass MediumRisk:\n    def __reduce__(self):\n        return (print, (\"Potential unsafe logging\",))\n# Save the files\nwith open(\"test_critical.pkl\", \"wb\") as f:\n    pickle.dump(CriticalMalicious(), f)\nwith open(\"test_high.pkl\", \"wb\") as f:\n    pickle.dump(HighRisk(), f)\nwith open(\"test_medium.pkl\", \"wb\") as f:\n    pickle.dump(MediumRisk(), f)\nprint(\"Files created: test_critical.pkl, test_high.pkl, test_medium.pkl\")\n",
  "filename": null,
  "language": "python",
  "markDefs": null
}
```



Then run the below commands to create the model and scan it with Modelscan:

```json
{
  "_key": "4ce3f29559fd",
  "_type": "code",
  "code": "python3 make-bad-model.py\nmodelscan -p .",
  "filename": null,
  "language": "bash",
  "markDefs": null
}
```



```json
{
  "_key": "75772e7ec2d6",
  "_type": "image",
  "alt": "Scanning pickle files in simple deserialisation attack",
  "asset": {
    "_createdAt": "2026-02-02T21:28:04Z",
    "_id": "image-4bf6d8ff2b30ac2eb24ab8caf9479012133fc03e-2252x1470-png",
    "_rev": "lcwUgfS09bLVGUN2s5PWwd",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2026-02-02T21:28:04Z",
    "assetId": "4bf6d8ff2b30ac2eb24ab8caf9479012133fc03e",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "V14_@P_N%Nx]kB%NtRk9WAa_?v%MfhaxRiRjxut7WAax",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.5319727891156463,
        "height": 1470,
        "width": 2252
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAABYlAAAWJQFJUiTwAAABj0lEQVR4nKWT127CQBBF/SWEEuPecG+sbWx6TZTk/7/kRrMmgEWEgvJwtLK1Orszc1eImgZBNUfA1oimO/jpBpbfQHVKjI0pBnKCl3H4Z4SsPiCvj8jrE/LZGyctj0iKA8LpFna4gGwVeNWyDiM1xUCOu0gxBNa8o1x8YLb6Qrn4vAjT6oisOiFme7jxElbQXPEb6O4Mil1Athgkc8qhigQ/2yDItwjzHbxkzTdrk4qjTyoY7uzyfQu15FYmcWEOwXBrfppkMl7GUInRl6IOA5lW+k+lReh3So06+wR+2qTESEsfNrsntryMA/QeDUW2S8hOhZGWtSc9MdFfhdqkhuE1UOwSIk1PSTA8QyU9LTT9Bk60BK3UZPEmGiSlWz8ltMM5vHQDJ1pAdQqIeg5R/4fQS1aI2QEUH9OroZ6zJZuMi0fqtQX3xHetEbyYhHsEWfsqSKq7bQZJzjNmnLnJ3E/uxnrOq6HIcKETzBFmG/jpGk44h+XXMFwKdAXNKaFY7IrNoF4o2pdCYr0V9kQf37UAmAgT9Jo2AAAAAElFTkSuQmCC",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#1c2434",
          "foreground": "#fff",
          "population": 59.69,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#4c7424",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#1c2434",
          "foreground": "#fff",
          "population": 59.69,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#a0a4b5",
          "foreground": "#000",
          "population": 0.05,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#bcdf99",
          "foreground": "#000",
          "population": 0,
          "title": "#000"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#777d8c",
          "foreground": "#fff",
          "population": 3.36,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#7fc23c",
          "foreground": "#000",
          "population": 0,
          "title": "#fff"
        }
      },
      "thumbHash": "TPcBBYCveYiaeHeud1aJdb+rjyDx"
    },
    "mimeType": "image/png",
    "originalFilename": "Screenshot 2026-02-02 at 21.26.55.png",
    "path": "images/rafvlnhi/production/4bf6d8ff2b30ac2eb24ab8caf9479012133fc03e-2252x1470.png",
    "sha1hash": "4bf6d8ff2b30ac2eb24ab8caf9479012133fc03e",
    "size": 306344,
    "uploadId": "d3ylSNkfrmJMO9CDS4LhlXX3Xz7N65kD",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/4bf6d8ff2b30ac2eb24ab8caf9479012133fc03e-2252x1470.png"
  },
  "caption": "Scanning pickle files in simple deserialisation attack",
  "link": {
    "_type": "link",
    "href": null,
    "openInNewTab": false
  },
  "markDefs": null
}
```



The above Python script provides a classic example of why pickling is dangerous and why tools like **Modelscan** exist. When you use `__reduce__`, you tell Python exactly how to reconstruct the object when it's loaded. By putting `os.system` or `webbrowser.open` inside that method, you turn a simple data file into an executable script.



Once you point Modelscan at the correct filename, it should successfully flag `test_critical.pkl` because it detects the use of the `os.system` global within the pickle stream.



When you’re done, you can clean up all the newly-created files with the below command:

```json
{
  "_key": "af4426cbc61b",
  "_type": "code",
  "code": "rm make-bad-model.py test_medium.pkl test_critical.pkl test_high.pkl",
  "filename": null,
  "language": "bash",
  "markDefs": null
}
```



### Defensive strategies with Cloudsmith

To secure your AI pipeline, you should adopt a defence-in-depth strategy:

1. **Prefer safetensors**: Use the new [**safetensors**](https://huggingface.co/docs/safetensors/index) format, which is designed to be zero-copy and, crucially, non-executable. This is the ideal starting point.
2. **Vetting imports**: Because some models force us to use file formats considered “less safe” than safetensors, we should only load models from trusted organisations, where possible. For example, I trust Nvidia or Google more than random publishers on the internet.
3. **Cross-format conversion**: Use `from_tf=True` to load models from safer formats like [**JAX**](https://docs.jax.dev/en/latest/notebooks/thinking_in_jax.html) or [**TensorFlow**](https://www.tensorflow.org/) when available.



### Automated protection with Cloudsmith’s Rego policies

Manually scanning every model isn't scalable. This is where Cloudsmith comes in. In a [**previous blog post**](https://cloudsmith.com/blog/extend-epm-policies-to-huggingface-artifacts), we explained how to use Cloudsmith as your private proxy for AI models, and how to enforce Hugging Face policies in Enterprise Policy Manager (EPM) to automatically block potentially infected or unsafe models before they ever reach a developer's machine.



#### **Example 1: Blocking based on scan results**

The nice thing for Hugging Face users is that Hugging Face Hub already performs [**Pickle Scanning**](https://huggingface.co/docs/hub/en/security-pickle) on all LLM Models. It then flags a model as safe or not. This Cloudsmith `.rego` policy rejects ingesting any model Hugging Face’s internal security scan did not mark as "SAFE".

```json
{
  "_key": "a3dd9b29b1ff",
  "_type": "code",
  "code": "package cloudsmith\nimport rego.v1\ndefault match := false\nincomplete_or_unsafe if {\n    input.v0.model_security.availability != \"COMPLETE\"\n}\nincomplete_or_unsafe if {\n    input.v0.model_security.scan_summary != \"SAFE\"\n}\nmatch if {\n    \"huggingface\" == input.v0.package.format\n    incomplete_or_unsafe\n}",
  "filename": null,
  "language": "rego",
  "markDefs": null
}
```



But as discussed earlier, we can run standalone picklescan almost anywhere to scan for files deemed insecure and verify those results against the existing Cloudsmith scans. However, it might be worth considering a more restrictive approach to the risky file formats that we accept into production.



#### **Example 2: Reducing the potential attack surface by extension**

If your LLMOps and security teams have standardised on the [**safetensors**](https://github.com/huggingface/safetensors) format, you can explicitly block legacy or high-risk formats. This reduces the overall attack surface by preventing the entry of formats known to support execution (like `.pkl` or `.joblib`).

```json
{
  "_key": "e8de144ccdf8",
  "_type": "code",
  "code": "package cloudsmith\nimport rego.v1\ndefault match := false\npkg := input.v0.package\nhf_pkg if \"huggingface\" == pkg.format\n\nrisky_file_extensions := {\".h5\", \".hdf5\", \".pdparams\", \".keras\", \".bin\", \".pkl\", \".dat\", \".pt\", \".pth\", \".ckpt\", \".npy\", \".joblib\", \".dill\", \".pb\", \".gguf\", \".zip\",}\n\nmatch if {\n    hf_pkg\n    some file in pkg.files\n    file.file_extension in risky_file_extensions \n}",
  "filename": null,
  "language": "rego",
  "markDefs": null
}
```

```json
{
  "_key": "8941343641ff",
  "_type": "image",
  "alt": "Quarantined Hugging Face models in Cloudsmith",
  "asset": {
    "_createdAt": "2026-02-06T11:43:15Z",
    "_id": "image-df0895a600b137eafb864c5f75b829745e09371a-3004x1632-png",
    "_rev": "JCaPlgqVAp2UVN8ea02icU",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2026-02-06T11:43:15Z",
    "assetId": "df0895a600b137eafb864c5f75b829745e09371a",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "M7Sijbo|?E_3-:~qazIoNGjY%2ozIVRjM|",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 1.8406862745098038,
        "height": 1632,
        "width": 3004
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAABYlAAAWJQFJUiTwAAABf0lEQVR4nG2TiY7bMAxE8/8/ukU3h3WQFEmJs6CcNk0RAwPLhvE0Q40vlRSVFY0UPCaGLQybUA/YBHxi3/+s1QDitSVjQe0pdXDtuKifABIDSUINYo58P1dgLrxpb+ABT83U+ns3c1wi8sOAqKHzQE+oOmyufyDxrr1RYOY3M7BWIDmpCwCsCAx1NBKULnsEomfs1DmGhZHrreezOnTMDY0E4QmMCJgZWmfcK+FeeYP7HoOBh0N0gUaANCAWYJ3g3JgU7uszsBPjaIxHY9xKw/WouJWC0gldHJUXmiywpiZoAwXm8zOQ+HR2dNmwr+sNv6433EvdYygb+HKYQCaB29zzewd6OhQcTZ4OO74fBddHRem8HRYJtPF/5AH7GNnTYQLP2Omy0tiOE1hIcaTDBGbk8QJ6Rn5ziCzuGaE0RmmESgIZZzfT5Xc6JQfrefKWZRaDiWLNtaujZicwr+xVlrqms4zIY9diqO1DOVoeTP5Jrw76MMxhiJV/i+H37YEfEgBdGUuySJwAAAAASUVORK5CYII=",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#20323d",
          "foreground": "#fff",
          "population": 0.13,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#040414",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#e6e4a1",
          "foreground": "#000",
          "population": 0.13,
          "title": "#000"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#b4d4cc",
          "foreground": "#000",
          "population": 0,
          "title": "#000"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#e6e4a1",
          "foreground": "#000",
          "population": 0.13,
          "title": "#000"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#ae6c7f",
          "foreground": "#fff",
          "population": 0.04,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#b7b854",
          "foreground": "#000",
          "population": 0.02,
          "title": "#fff"
        }
      },
      "thumbHash": "/fcBBIDz77l+Q4irYnX4eEifpw=="
    },
    "mimeType": "image/png",
    "originalFilename": "Screenshot 2026-02-06 at 11.41.39.png",
    "path": "images/rafvlnhi/production/df0895a600b137eafb864c5f75b829745e09371a-3004x1632.png",
    "sha1hash": "df0895a600b137eafb864c5f75b829745e09371a",
    "size": 620466,
    "uploadId": "L0Q2W2vxeVDwBJpXRY4eJRfUsvM6QV3V",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/df0895a600b137eafb864c5f75b829745e09371a-3004x1632.png"
  },
  "caption": "Quarantined Hugging Face models in Cloudsmith",
  "link": {
    "_type": "link",
    "href": null,
    "openInNewTab": false
  },
  "markDefs": null
}
```



### **Do not blindly trust model weights**

Like a funhouse mirror, securing AL models isn’t always what it seems. Securing generative AI is about more than just protecting the code – it’s about protecting the data that behaves like code. By utilising flexible Rego policies within Cloudsmith, you move from a reactive posture (scanning after the fact) to a proactive one (blocking by policy).



Check out our upcoming webinar with great insights about Hugging Face and evolving AI threats:

```json
{
  "_key": "d9ff831bc367",
  "_type": "image",
  "alt": "Cloudsmith Webinar - Securely Sourcing LLM Models from Hugging Face",
  "asset": {
    "_createdAt": "2026-02-02T21:37:58Z",
    "_id": "image-b154f58a3d84a5fa72b6e746c8716e94e059df4d-674x259-png",
    "_rev": "3rnwABIGdSsuvoz1ujpUej",
    "_type": "sanity.imageAsset",
    "_updatedAt": "2026-02-02T21:37:58Z",
    "assetId": "b154f58a3d84a5fa72b6e746c8716e94e059df4d",
    "extension": "png",
    "metadata": {
      "_type": "sanity.imageMetadata",
      "blurHash": "D6SF-J0Kxb?bM{_4WY%3t7of",
      "dimensions": {
        "_type": "sanity.imageDimensions",
        "aspectRatio": 2.6023166023166024,
        "height": 259,
        "width": 674
      },
      "hasAlpha": true,
      "isOpaque": true,
      "lqip": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABEklEQVR4nIWSa4vCMBBF+///4MIiKri2NjZp0zyah3qWpH4orGU/XCYzQw6TO2ni8iL4B3F5EMMaU9jkIROXvMa3UnySI3+VoLFzQkmHlAalLEoaRmWrSl7qtVf7hml0OJtI4fUR2sw6cBeatlNV3UYlv7aStpX0/VShs/Z4mz8DEzTGRKS09EJz66caxV0j3rEXUz2PyuFdIobn7nS5ANUwI26KYZhRyqH1gpkDSs7chUKPFmsiiyve7YDiBng6nPn+OtC1A3ry1R9nAu2l4/h9RIoR7zJLWdzeZFvg9XLjfLowiAlrEovPeJsYekX3c6sTFlj5CbtP3S7Fu4iZi9Gx+pNTufRav8pStrnWHlX8q1+IYGtuk4jnvgAAAABJRU5ErkJggg==",
      "palette": {
        "_type": "sanity.imagePalette",
        "darkMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#4c3c38",
          "foreground": "#fff",
          "population": 0.01,
          "title": "#fff"
        },
        "darkVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#130b09",
          "foreground": "#fff",
          "population": 0.37,
          "title": "#fff"
        },
        "dominant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#130b09",
          "foreground": "#fff",
          "population": 0.37,
          "title": "#fff"
        },
        "lightMuted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#c4a8a3",
          "foreground": "#000",
          "population": 0.1,
          "title": "#fff"
        },
        "lightVibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#e4bdaa",
          "foreground": "#000",
          "population": 0.02,
          "title": "#fff"
        },
        "muted": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#6c848c",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        },
        "vibrant": {
          "_type": "sanity.imagePaletteSwatch",
          "background": "#ad6451",
          "foreground": "#fff",
          "population": 0,
          "title": "#fff"
        }
      },
      "thumbHash": "/AcCA4CAaXaHibh5giALK+Y="
    },
    "mimeType": "image/png",
    "originalFilename": "Screenshot 2026-02-02 at 17.58.55.png",
    "path": "images/rafvlnhi/production/b154f58a3d84a5fa72b6e746c8716e94e059df4d-674x259.png",
    "sha1hash": "b154f58a3d84a5fa72b6e746c8716e94e059df4d",
    "size": 35154,
    "uploadId": "h9HqmK9JkDK0B8scsokD7fzYUMWkWw80",
    "url": "https://cdn.sanity.io/images/rafvlnhi/production/b154f58a3d84a5fa72b6e746c8716e94e059df4d-674x259.png"
  },
  "caption": "Cloudsmith Webinar - Securely Sourcing LLM Models from Hugging Face",
  "link": {
    "_type": "link",
    "href": "https://cloudsmith.com/events/webinars/how-to-securely-source-your-llm-models-from-hugging-face",
    "linkType": "href",
    "openInNewTab": true
  },
  "markDefs": null
}
```

Want a broader framework for protecting AI artifacts and model supply chains? Explore our **practical guide to [securing non-deterministic systems in LLMOps](https://cloudsmith.com/campaigns/securing-non-deterministic-systems-a-practical-guide-for-ai-artifacts-and-llmops)**.
