Hugging Face and ClawHub compromised with hundreds of malicious AI models and agent skills as supply chain attacks target AI infrastructure

Hugging Face and ClawHub compromised with hundreds of malicious AI models and agent skills as supply chain attacks target AI infrastructure

Briefly

"Hugging Face, the repository that hosts more than a million machine learning models used by virtually every AI company on the planet, has been found to contain hundreds of malicious models capable of executing arbitrary code on the machines of anyone who downloads them. ClawHub, the public registry for OpenClaw's AI agent skills, has been infiltrated by a coordinated campaign that planted 341 malicious skills designed to steal credentials, open reverse shells, and hijack AI agents for cryptocurrency mining."

"The two most important software supply chains in artificial intelligence have been systematically compromised. Hugging Face has been aware of malicious models on its platform since at least 2024, when security firms JFrog and ReversingLabs independently identified models containing hidden backdoors. The problem has not been contained. It has scaled."

"Protect AI, which partnered with Hugging Face to scan the platform's model library, has examined more than four million models and identified approximately 352,000 unsafe or suspicious issues across 51,700 models. JFrog found more than 100 models capable of arbitrary code execution. The attack technique, known as "nullifAI," exploits Python's pickle serialisation format, the standard method for packaging machine learning models."

"Attackers embed malicious Python code at the start of the pickle byte stream and compress the file using 7z rather than the default ZIP format, which breaks Hugging Face"