Date: 2026-06-23. Executed the huntr MFV cash shot (scanner-bypass code-exec-on-load).
picklescan 1.0.4 (LATEST) + modelscan 0.8.8 (LATEST): a joblib file dumped with compression
(joblib.dump(evil, f, compress=('zlib'|'gzip',3))) where evil.reduce -> (os.system, (...)):
- joblib.load(f) -> CODE-EXEC (os.system fires). Live-confirmed.
- picklescan: infected=0, globals=[] (CLEAN). modelscan: total_issues=0 (CLEAN).
- plain (compress=0) joblib -> BOTH detect (posix.system). The compression container is the bypass:
picklescan parses every file as raw pickle bytes; a compressed joblib starts with a compression magic
byte, not a pickle opcode -> genops errors at offset 0 -> picklescan treats parse-failure as CLEAN
(0 infected) instead of inconclusive. picklescan lists .joblib as a pickle ext + even has gzip
decompression for the TORCH path (torch.py) but applies NO decompression on the joblib path.
This exact bypass is PUBLIC + already PAID to others:
- HuggingFace PoC repo SiggytheShark/pickle-bypass-joblib-compression-evasion (verbatim this).
- arxiv 2508.19774 "The Art of Hide and Seek..." documents the compressed-joblib evasion.
- Researchers were AWARDED $6000 from ProtectAI's MFV program for this class.
=> already disclosed = $0 dup. The disclosure gate caught it after CHEAP confirmation, before any stage
(RAGFlow cycle257 discipline). Confirmed-live != undisclosed.
MFV low-hanging fruit (compression, ext-mismatch, ZIP-tamper, common gadgets) is MINED + actively patched + heavily researched (multiple papers + a paid program with many hunters). A CASH hit needs a NOVEL bypass OUTSIDE the disclosed corpus (a specific EOP loading-path exception or an untested format path not in arxiv 2508.19774), which is a dedicated deep-session, low-probability-per-hour. Recommend: deprioritize MFV as a quick jab; it is a deep-research lane, not a fast cash shot. Better cash jabs = fresh-launch web3 (time-sensitive) or non-IDOR on mature payers. Forgejo port-lag remains the reliable base.