4M Models Scanned: Protect AI + Hugging Face 6 Months In

Source: HuggingFace Date: 2025-04-14 URL: https://huggingface.co/blog/pai-6-month

Summary

Partnership progress report: six months after the Protect AI Guardian integration (October 2024), 4.47M model versions across 1.41M repositories have been scanned. 352,000 unsafe/suspicious issues found across 51,700 models. System serves 226M requests/month at 7.94ms average response time. Four new threat modules added: archive slip attacks (PAIT-ARV-100), Joblib code execution (PAIT-JOBLIB-101), TensorFlow architectural backdoors (PAIT-TF-200), and Llamafile malicious code (PAIT-LMAFL-300). 200+ community vulnerability reports via huntr bug bounty program.

Implications

HF as open-source ML hub. 352,000 issues across 51,700 models means roughly 1 in 28 scanned model repos has something Guardian flags. That’s not trivial — the Hub’s supply chain security posture is now a quantifiable fact, not just a policy statement. The 200+ community reports via huntr suggest the security research community is treating HF as a legitimate target surface worth probing.

Open-weights ecosystem health. CVE-2025-1550 in Keras and the Llamafile vector being added to scanning suggests that as the model format ecosystem diversifies (Llamafile, GGUF, Joblib in addition to safetensors), the attack surface is expanding proportionally. Teams consuming models without running Guardian or equivalent should treat any pickle/Keras/Joblib artifact as untrusted by default.