Announcing Experimental Malware Scanning for the Hugging Face Ecosystem

Socket has introduced experimental support for Hugging Face to enhance security in the AI model ecosystem by detecting potential threats like hidden malware, backdoors, and malicious payloads within AI models. This expansion marks a significant move towards securing AI supply chains, as models, unlike traditional software code, can execute code during deserialization or inference. Socket's AI scanners inspect model files, including those from PyTorch, TensorFlow, Keras, and others, to detect deserialization and runtime attacks. The integration allows users to analyze Hugging Face models for various security threats, including arbitrary code execution and potential data exfiltration risks, by leveraging tools such as the PURL API and AI Bill of Materials (AIBOM) files. Additionally, Socket provides license compliance support through License Overlays and aims to extend its protection to Hugging Face Datasets and Spaces, ultimately striving to make AI ecosystems as secure as traditional software environments.