A Critical Flaw Is Exposing the AI Supply Chain to “Model Namespace Reuse” Attacks

Researchers from Palo Alto Networks’ Unit 42 have disclosed a critical weakness in the AI supply chain that could enable attackers to hijack machine learning pipelines across major platforms including Microsoft Azure AI Foundry, Google Vertex AI, and thousands of open-source projects. The issue, which the team has dubbed Model Namespace Reuse, exposes organizations to the risk of deploying malicious models under trusted names.

At the heart of the problem is Hugging Face, one of the largest platforms for sharing and deploying AI models. Models on Hugging Face are identified using a two-part naming convention: Author/ModelName.

Unit 42 explains: “Model Namespace Reuse occurs when cloud provider model catalogs or code retrieve a deleted or transferred model by name. By re-registering an abandoned namespace and recreating its original path, malicious actors can target pipelines that deploy models based solely on their name.”

This loophole means that if a legitimate organization deletes its account—or transfers ownership of a model—attackers can reclaim the namespace and upload a compromised version of the model. Any downstream system that still references the original model name would unknowingly fetch the malicious one.

The researchers outlined two fictional but realistic scenarios:

• Ownership Deletion: If an organization deletes its Hugging Face account, the namespace becomes available for anyone to claim. As the report warns, “without developers being aware of it, codebases and pipelines might pull and deploy the malicious version.”
• Ownership Transfer: Even when models are transferred to a new owner, Hugging Face maintains redirects for continuity. However, if the old namespace is later deleted and reclaimed by an attacker, the redirection mechanism breaks—potentially replacing trusted models with attacker-controlled versions.

The Unit 42 team demonstrated the attack across multiple platforms:

• Google Vertex AI: By re-registering an orphaned Hugging Face namespace, researchers embedded a payload in a model and showed that upon deployment, “we gained access to the underlying infrastructure hosting the model — specifically, the endpoint environment.”
• Microsoft Azure AI Foundry: A similar test allowed researchers to deploy a backdoored model that successfully executed a reverse shell, granting persistent access to Azure endpoints.
• Open-Source Ecosystem: The risk extends far beyond cloud platforms. Unit 42 found thousands of vulnerable open-source projects referencing abandoned model namespaces. In their words, “such projects expose their users to significant security risks. Attackers can take advantage of project dependencies… and malicious files are then likely to be deployed into user environments.”
• Other Model Registries: Even model catalogs from platforms like Kaggle inherit this risk, as they automatically ingest models from Hugging Face.

This flaw is not just about namespace squatting—it’s a systemic supply chain vulnerability that affects the very foundation of AI development. Unit 42 stresses: “This discovery proves that trusting models based solely on their names is insufficient and necessitates a critical reevaluation of security in the entire AI ecosystem.”

The consequences are severe: attackers could slip malicious code into healthcare models, financial tools, or autonomous systems—silently poisoning AI-driven decision-making.

Related Posts:

• Hugging Face Spaces Platform Hit by Unauthorized Access
• Ubuntu Security Alert: Three Ways to Bypass User Namespace Restrictions
• From Cheats to Compromise: Blitz Malware Exploits Gamers via Backdoored Standoff 2 Cheats