A malicious repository hosted on Hugging Face has raised new concerns about the growing cybersecurity risks tied to public AI development platforms after attackers disguised malware as a legitimate OpenAI-related release.
According to security researchers at HiddenLayer, the repository imitated a real AI privacy-filtering project while secretly delivering credential-stealing malware to Windows systems. Before the repository was removed, it reportedly accumulated roughly 244,000 downloads and rapidly climbed Hugging Face’s trending rankings.
Researchers believe some of those engagement metrics may have been artificially inflated to make the repository appear more trustworthy and widely adopted.
The incident highlights how AI model registries are increasingly becoming part of the modern software supply chain — and potentially a new attack surface for threat actors.
Attackers Mimicked a Legitimate AI Project
The malicious repository reportedly copied the original project documentation and setup instructions almost identically, making it difficult for users to distinguish it from the authentic release.
However, researchers identified one major difference: users were instructed to execute setup files such as start.bat or run a Python loader script directly on their systems. Those installation steps triggered the malware infection chain.
Security analysts say the repository included a malicious loader.py file disguised as part of the normal AI setup process. Once executed, the script initiated a hidden sequence of commands that ultimately downloaded and installed credential-stealing malware on the victim’s machine.
The attack demonstrates how threat actors are increasingly targeting developer trust rather than exploiting traditional software vulnerabilities.
AI Repositories Are Becoming Supply Chain Targets
Public AI repositories now contain far more than just model weights. Many projects also include executable scripts, dependency installers, notebooks, setup instructions, and automation tooling.
That broader ecosystem creates opportunities for attackers to hide malicious code inside seemingly legitimate development workflows.
Developers often clone repositories directly into enterprise environments that contain sensitive assets such as source code, cloud credentials, API keys, and internal infrastructure access. As a result, compromising an AI repository can provide attackers with a direct path into corporate systems.
Researchers have previously warned that malicious logic can be embedded inside AI model files or hidden in setup scripts that bypass traditional security scanning tools.
Unlike conventional software packages, many AI workflows still lack mature supply chain security controls.
How the Malware Worked
According to HiddenLayer’s analysis, the malicious loader initially appeared to function like a normal AI model installer before pivoting into a concealed infection process.
The script reportedly disabled SSL verification, decoded a hidden remote URL, and downloaded additional payload instructions from an external service. On Windows systems, commands were then passed to PowerShell to retrieve secondary malware components from attacker-controlled infrastructure.
The malware also established persistence mechanisms designed to survive system reboots. One method reportedly involved creating scheduled tasks disguised as legitimate Microsoft Edge update processes.
Researchers say the final payload was a Rust-based infostealer capable of targeting a wide range of sensitive information.
The malware reportedly attempted to collect:
- Browser credentials and session cookies
- Discord local storage data
- Cryptocurrency wallet information
- FileZilla configuration files
- Host system details
The malware also attempted to disable certain Windows security and logging protections to reduce the likelihood of detection.
Session Cookies Create Additional Risks
One of the more serious concerns with modern infostealer malware is the theft of browser session cookies rather than passwords alone.
Even if organizations enforce multi-factor authentication, stolen session tokens can sometimes allow attackers to bypass MFA protections by hijacking already authenticated sessions.
That risk is especially significant for developers and AI researchers who may remain logged into cloud infrastructure platforms, internal dashboards, or code repositories while testing external AI projects.
Security researchers warned that any machine running the malicious files should be treated as fully compromised.
The Broader AI Security Problem
The incident reflects a larger issue emerging across the AI ecosystem: security tooling has not fully caught up with the speed of AI development workflows.
Traditional software composition analysis tools are designed to inspect package dependencies, libraries, and containers. Many are less effective at identifying malicious logic hidden inside AI setup scripts, notebooks, or model-loading pipelines.
As AI adoption accelerates inside enterprises, security teams are increasingly being forced to monitor not just traditional software dependencies, but also AI artifacts, model registries, datasets, and automation frameworks.
Industry experts have begun advocating for AI-specific “bills of materials” that track where AI assets originated, which versions were approved internally, and whether they contain executable components.
That visibility may become increasingly important as organizations integrate more third-party AI tooling into production environments.
A Warning Sign for Enterprise AI Adoption
The Hugging Face incident underscores how quickly attackers adapt to new technology ecosystems once adoption reaches scale.
AI repositories have become highly trusted environments for developers, researchers, and enterprises experimenting with machine learning systems. That trust also makes them attractive targets for cybercriminals looking to infiltrate corporate environments through less scrutinized channels.
As organizations continue integrating AI into daily workflows, security teams may need to treat external AI repositories with the same level of caution traditionally reserved for third-party software packages and open-source dependencies.
