Hugging Face hosted malicious software masquerading as OpenAI release

A malicious repository on Hugging Face, the popular machine learning model hub, delivered infostealer malware to Windows systems before security researchers discovered it. HiddenLayer, an AI security firm, identified the attack and found the fake repository had logged approximately 244,000 downloads. The attackers likely inflated download numbers artificially to boost the model's apparent legitimacy and reach.

The repository masqueraded as an OpenAI release, exploiting trust in the prominent AI lab's brand to lure unsuspecting developers. Infostealer malware typically captures sensitive data like credentials, browser history, and system information. The attack underscores a growing vulnerability in open-source AI ecosystems, where repositories serve as distribution channels for both legitimate models and weaponized code.

Hugging Face removed the malicious repository after detection. The platform hosts millions of models and datasets that researchers and developers rely on daily, making it an attractive target for threat actors. The incident reveals gaps in vetting mechanisms for uploaded content, particularly when attackers use social engineering tactics tied to recognizable company names.

This follows a pattern of supply chain attacks targeting AI infrastructure. Researchers have previously documented malware distributed through PyPI packages and npm libraries disguised as legitimate tools. The Hugging Face incident demonstrates that model repositories face similar risks.

Organizations downloading from Hugging Face should verify model authenticity through official channels and checksums. Developers should scan downloaded files with updated antivirus tools and isolate machines used for testing untrusted code. Hugging Face may need stricter repository verification processes, particularly for high-profile models claiming association with known organizations.

The attack reflects broader challenges in securing open-source ecosystems at scale. As AI development becomes more collaborative and decentralized, the attack surface expands. Security teams must balance the openness that drives innovation with protections against impersonation and malware