All news with #hugging face tag

🔒 HiddenLayer discovered the Open-OSS/privacy-filter repository on Hugging Face was malicious on May 7. The repo, which copied OpenAI's Privacy Filter model card almost verbatim and showed inflated engagement, delivered a Rust-based infostealer via a base64-encoded loader. The malware steals browser passwords, session cookies, tokens, crypto wallet data and other credentials. HiddenLayer warns anyone who ran files from the repo to treat hosts as fully compromised and to wipe, isolate and rotate all affected credentials.

⚠️ A malicious Hugging Face repository posing as an OpenAI release delivered an infostealer to Windows hosts and accumulated about 244,000 downloads before removal. Researchers at HiddenLayer found the repo copied OpenAI’s model card and included a loader.py that fetched and executed credential-stealing payloads. The loader disabled SSL verification, used jsonkeeper.com as a C2, and employed scheduled tasks and a Rust-based infostealer to exfiltrate browser data, wallets, Discord storage, and FileZilla credentials.

🚨 A malicious Hugging Face repository impersonating OpenAI's Privacy Filter model reached #1 trending before being disabled after delivering a Rust-based information stealer to Windows users. The attacker typosquatted the legitimate release and copied its model card, instructing victims to run a loader.py or Windows start.bat to fetch payloads via a JSON Keeper dead drop. The multi-stage chain used PowerShell to download secondary loaders, set Defender exclusions, and install a one-shot scheduled task that launched a stealer collecting browser, wallet and app data for exfiltration.

⚠️A malicious Hugging Face repository impersonated OpenAI’s Privacy Filter and briefly reached #1, reportedly accumulating 244,000 downloads before removal. HiddenLayer found the repo used a typosquatted name and a loader.py that disabled SSL checks, decoded a base64 URL, and executed a PowerShell chain to deploy a Rust-based infostealer. The malware harvests browser credentials, tokens, wallets, SSH/FTP/VPN files and more, exfiltrating data to a C2 server. Users are urged to reimage affected machines, rotate credentials, and replace wallets and seed phrases.

⚠️ A critical vulnerability, CVE-2026-25874, was disclosed in Hugging Face's open-source robotics framework LeRobot, enabling unauthenticated remote code execution via unsafe deserialization with pickle.loads(). The flaw affects the async inference PolicyServer handling gRPC calls (SendPolicyInstructions, SendObservations, GetActions) over unauthenticated channels and has been validated against LeRobot 0.4.3. A patch is planned for version 0.6.0; operators should treat exposed instances as high-risk and apply mitigations such as enabling TLS, restricting network access, and eliminating pickle-based deserialization.

⚠️Researchers observed attackers exploiting a critical Marimo remote code execution flaw (CVE-2026-39987) to deploy a new NKAbuse variant hosted on Hugging Face Spaces. Attack activity began within hours of public disclosure, with a Space named "vsccode-modetx" serving a dropper script and a malicious binary labeled kagent. The dropper retrieves and runs the payload via curl, then installs persistence via systemd, cron, or macOS LaunchAgent, while Spaces' legitimate HTTPS hosting helps evade detection. Operators are urged to upgrade to version 0.23.0 or block the '/terminal/ws' endpoint if upgrades are not possible.

🔒 A new Android remote access trojan (RAT) leverages the AI hosting platform Hugging Face to store and deliver malicious APK payloads, researchers at Bitdefender report. The campaign distributes a dropper app called TrustBastion that uses fake update dialogs to trick users into downloading an updater which redirects to repositories hosting polymorphic RAT APKs. Operators made frequent commits and shifted repositories to avoid takedowns, while the malware requests Accessibility and screen-recording permissions to capture credentials and relay data to command-and-control servers.

🛡️ Bitdefender Labs reports a large-scale Android malware campaign that leveraged Hugging Face's public hosting to deliver a remote access trojan (RAT). The operation begins with a scareware dropper disguised as a security app, TrustBastion, which tricks users via fake infection alerts into downloading a second-stage APK from a Hugging Face dataset. Attackers automated payload generation with thousands of unique APKs and frequent commits to evade signature-based detection. The installed RAT requests high-risk permissions — Accessibility Services, screen recording, casting, and overlay rights — enabling credential harvesting, screen capture, persistent control, and exfiltration; Bitdefender notified Hugging Face and the malicious datasets were removed, though variants resurfaced elsewhere.

🚨Researchers at Bitdefender found an Android campaign using the Hugging Face platform to host and serve thousands of malicious APK variants. A scareware dropper called TrustBastion lures victims with fake Google Play update prompts, redirects to a Hugging Face dataset, and downloads the payload via the platform's CDN. The RAT aggressively abuses Android Accessibility Services to present overlays, capture screens, impersonate login UIs for services such as Alipay and WeChat, block uninstall, and exfiltrate credentials; Hugging Face removed the malicious datasets after notification.

⚠️ Researchers at Palo Alto Networks' Unit 42 disclosed critical weaknesses in the NeMo, Uni2TS and FlexTok Python libraries used with Hugging Face models, where malicious code can be hidden in model metadata and executed automatically when a manipulated file is loaded. The root cause is the use of Hydra's instantiate(), which accepts arbitrary callables and arguments and can therefore permit remote code execution if metadata is untrusted. Vendors including NVIDIA, Salesforce and the maintainers of FlexTok have issued fixes and CVE assignments; users should upgrade affected libraries and audit models before loading.

🚀 BigQuery now supports managed third‑party generative AI inference (Preview) for open models from Hugging Face and Vertex AI Model Garden, enabling SQL-native deployment and inference. With a single CREATE MODEL statement you can provision and configure compute, control lifecycle with endpoint_idle_ttl and ALTER MODEL, and run inference via AI.GENERATE_TEXT or AI.GENERATE_EMBEDDING. BigQuery automates resource cleanup and integrates cost controls to reduce operational overhead.

🤝 Google Cloud and Hugging Face are deepening their partnership to speed developer workflows and strengthen enterprise model deployments. A new gateway will cache Hugging Face models and datasets on Google Cloud so downloads take minutes, not hours, across Vertex AI and Google Kubernetes Engine. The collaboration adds native TPU support for open models and integrates Google Cloud’s threat intelligence and Mandiant scanning for models served through Vertex AI.

🔐 New research by cloud security firm Wiz found verified secret leaks in 65% of the Forbes AI 50, with API keys and access tokens exposed on GitHub. Some credentials were tied to vendors such as Hugging Face, Weights & Biases, and LangChain, potentially granting access to private models, training data, and internal details. Nearly half of Wiz’s disclosure attempts failed or received no response. The findings highlight urgent gaps in secret management and DevSecOps practices.

🔒 VirusTotal and Hugging Face have announced a collaboration to surface security insights directly within the Hugging Face platform. When browsing model files, datasets, or related artifacts, users will now see multi‑scanner results including VirusTotal detections and links to public reports so potential risks can be reviewed before downloading. VirusTotal is also enhancing its analysis portfolio with AI-driven tools such as Code Insight and format‑aware scanners (picklescan, safepickle, ModelScan) to highlight unsafe deserialization flows and other risky patterns. The integration aims to increase visibility across the AI supply chain and help researchers, developers, and defenders build more secure models and workflows.

🚀 Google expanded BigQuery ML to generate embeddings from Gemini and over 13,000 open-source text-embedding models via Hugging Face, all callable with simple SQL. The post summarizes model tiers to help teams trade off quality, cost, and scalability, and introduces Gemini's Tokens Per Minute (TPM) quota for throughput control. It shows a practical workflow to deploy OSS models to Vertex AI endpoints, run ML.GENERATE_EMBEDDING for batch jobs, and undeploy to minimize idle costs, plus a Colab tutorial and cost/scale guidance.

🔒 Unit 42 describes a widespread flaw called Model Namespace Reuse that lets attackers reclaim abandoned Hugging Face Author/ModelName namespaces and distribute malicious model code. The technique can lead to remote code execution and was demonstrated against major platforms including Google Vertex AI and Azure AI Foundry, as well as thousands of open-source projects. Recommended mitigations include version pinning, cloning models to trusted storage, and scanning repositories for reusable references.