Hugging Face and ClawHub compromised: malware in hundreds of AI models
Hundreds of malicious AI models have been found on Hugging Face. They are hidden among more than a million legitimate models used by AI companies. The malware e
What Happened
Hugging Face is the central repository where more than a million ML-models are stored, used by practically every AI company on the planet. It has been discovered that among them are hundreds of malicious models disguised as legitimate ones. This is the first major supply chain attack on AI infrastructure. The malicious models surfaced as a result of improperly configured security. Hugging Face allows any user to upload models, and this has been exploited by attackers. ClawHub, a repository of agent skills, was also compromised through user-uploaded modules.
Scale of the Attack
- Hundreds of malicious models in Hugging Face
- Hidden among more than a million legitimate models
- Affect developer APIs and private projects
- ClawHub and other repositories are also compromised
- First systematic attack on ML-infrastructure
How the Malware Works
The malware gets into the model at the upload stage. When a developer downloads a model via Hugging Face SDK or imports it into code, initialization occurs. It is at this stage that the malicious code is executed. What it can do: execute arbitrary code on the machine, steal data from the developer's working environment, install backdoors for remote access, compromise production systems when deploying an infected model, spread to dependent projects through the dependency chain.
Why This Is Dangerous
AI developers treat Hugging Face like the equivalent of npm or PyPI — they download models like dependencies without checking the code. No one manually reviews the contents of ML-models because it is impossible at scale. A malicious model can lie dormant in a production system for months, waiting for a specific condition, or work covertly, gradually collecting data. This is a classic supply chain attack, but in the AI context it is even more dangerous because it is not a library that is infected, but ready-to-run code with full privileges.
What This Means
AI development infrastructure has become a serious target. The industry needs urgent measures: mechanisms for verifying model code, execution isolation when loading, stricter requirements for uploading to central repositories. This will become a necessary requirement for working with open models.