Security researchers and activists are highlighting multiple avenues for AI model poisoning, spanning both the software supply chain around model artifacts and the upstream data used to train models. Palo Alto Networks’ Unit 42 reported that popular AI/ML Python libraries used with Hugging Face-hosted models can be abused to hide malicious code in model metadata that may execute when a poisoned file is loaded, expanding the attack surface for organizations that download and run third‑party models.
Unit 42 tied the issue to libraries including Nvidia NeMo, Salesforce Uni2TS, and FlexTok (Apple/EPFL VILAB), which rely on Meta’s Hydra configuration framework—specifically the instantiate() function—prompting maintainers to issue fixes and, in some cases, assign CVEs; no in-the-wild exploitation was reported at the time. Separately, the Poison Fountain initiative is advocating intentional poisoning of AI training data by encouraging website operators to embed links that lead AI crawlers to corrupted content (including subtly wrong code) to degrade model quality, reflecting escalating debate over AI safety and the practicality of data poisoning attacks against model performance.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Meta updated Hydra's documentation to warn that instantiate() can be abused for remote code execution and recommended block-listing dangerous targets. At the time of reporting, Hydra still lacked a built-in block-list mechanism in a released version.
Palo Alto Networks Unit 42 publicly disclosed that NeMo, Uni2TS, and FlexTok could allow remote code execution when crafted model metadata is loaded. The researchers said the root cause was unsafe use of Hydra's instantiate() function and noted no in-the-wild exploitation had been observed.
Nvidia released fixes and assigned CVEs for NeMo, while Apple/EPFL VILAB updated FlexTok to mitigate similar metadata-based code execution risks. FlexTok's mitigation included changing YAML configuration parsing, adding an allow-list, and advising users to load only trusted models.
A new initiative called Poison Fountain was reported as encouraging website operators to deliberately feed AI web crawlers corrupted or inaccurate content. Its stated goal is to degrade model performance and disrupt AI development by poisoning scraped training data.
Salesforce remediated a remote code execution vulnerability in the Uni2TS AI/ML library in July 2025 after the issue was reported. The flaw stemmed from unsafe use of Hydra configuration instantiation that allowed malicious payloads to be embedded in model metadata.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcego.theregister.com
Open sourcescworld.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.