Hugging Face in the Media
28 mentions across press, blogs, and newsletters
May 2026
Hugging Face Hiding Second-Stage Malware for npm Supply Chain Attack
Tushar Subhra Dutta reports: Hackers have found a new and alarming way to weaponize one of the most trusted platforms in the AI world. A threat actor linked to North Korea has embedded second-stage malware inside Hugging Face, the widely used AI and machine learning hub, effectively turning it into
Hackers Use Hugging Face to Host Second-Stage Malware for npm Supply Chain Attack
Hackers have found a new and alarming way to weaponize one of the most trusted platforms in the AI world. A threat actor linked to North Korea has embedded second-stage malware inside Hugging Face, the widely used AI and machine learning hub, effectively turning it into a malware delivery channel
Hackers Abuse Hugging Face to Deliver npm Malware
A newly uncovered supply chain attack targeting the npm ecosystem has been linked to North Korean (DPRK)-aligned threat actors. The campaign centers around a malicious npm package named terminal-logger-utils, which embeds a sophisticated multi-stage malware capable of keylogging, data exfiltratio
Fake OpenAI Repo Hit #1 on Hugging Face—And Stole Passwords While It Trended
A lookalike repository impersonating OpenAI's Privacy Filter model racked up 244,000 downloads in under 18 hours before Hugging Face pulled it.
Hugging Face Packages Weaponized With a Single File Tweak
A tokenizer library file present in Hugging Face AI models can be manipulated to hijack the model's outputs and exfiltrate data.
Hugging Face hosted malicious software masquerading as OpenAI release
A malicious Hugging Face repository that posed as an OpenAI release delivered infostealer malware to Windows machines and recorded about 244,000 downloads before removal, according to research from AI security firm HiddenLayer. The number of downloads may have been artificially inflated by the at
Malicious Hugging Face Repository Typosquats OpenAI
HiddenLayer reveals infostealer malware in a Hugging Face repository
A fake OpenAI repository has taken top spot on Hugging Face — but all it does is push infostealer malware
Its popularity may have been faked, though, as the "likes" all came from auto-generated accounts.
Trending Hugging Face Repository With 200k Downloads Executes Malware on Windows Machines
A popular artificial intelligence repository on Hugging Face was recently found hiding dangerous malware that targeted Windows users. The repository, named “Open-OSS/privacy-filter,” had racked up over 200,000 downloads before the platform’s team stepped in and removed it. The m
Malicious Hugging Face model masquerading as OpenAI release hits 244K downloads
A mal
Fake OpenAI Hugging Face OpenAI Repo Pushed Infostealer Malware
A fake OpenAI-branded Hugging Face
Trending Hugging Face Repo With 200K Downloads Spreads Windows Malware
A malicious Hugging Face repository, Open-OSS/privacy-filter, that abused the platform’s trust and trending algorithm to deliver a sophisticated Rust-based infostealer to Windows users. The project briefly reached the #1 trending position with roughly 244,000 downloads and hundreds of likes befor
Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads
A malicious Hugging Face repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. The project, named Open-OSS/privacy-filter, masqueraded as its legitimate counterpart, r
Fake OpenAI repository on Hugging Face pushes infostealer malware
A malicious Hugging Face repository that reached the platform's trending list impersonated OpenAI's "Privacy Filter" project to deliver information-stealing malware to Windows users. [...]
Hackers Leveraged Hugging Face and ClawHub With 575+ Malicious Skills to Deploy Malware
An active malware distribution campaign abusing two prominent AI platforms Hugging Face and ClawHub to deliver trojans, cryptominers, and infostealers disguised as legitimate AI tools and agent extensions. The campaign marks a significant evolution in supply chain attacks, shifting from tradition
Hugging Face launches robot app store
Open-source AI platform Hugging Face will formally launch an app store Wednesday for its Reachy Mini robot, CEO Clément Delangue tells Axios.Why it matters: The goal is to help nontechnical people create customized uses for the open-source robot, Delangue
The app store for robots has arrived: Hugging Face launches open-source Reachy Mini App Store with 200+ apps
There's an app for nearly every imaginable user and use case these days, but one thing they all have in common is that they're centered around one device: the smartphone.That changes today as Hugging Face, the 10-year-old New York City startu
Hugging Face, ClawHub Abused for Malware Distribution
Threat actors are relying on social engineering to lure users into downloading files containing malicious instructions. The post Hugging Face, ClawHub Abused for Malware Distribution appeared f
April 2026
Hugging Face LeRobot Vulnerability Enables Unauthenticated RCE Attacks
A critical, currently unpatched remote code execution (RCE) vulnerability has been disclosed in LeRobot, Hugging Face’s popular open-source machine learning framework for real-world robotics. Tracked as CVE-2026-25874 with a critical CVSS score of 9.3, the flaw allows unauthenticated attack
Hugging Face LeRobot Flaw Opens Door to Remote Code Execution Attacks
A critical remote code execution (RCE) vulnerability has been uncovered in Hugging Face’s LeRobot, a popular open-source robotics machine learning framework. Tracked as CVE-2026-25874, the flaw carries a maximum CVSS severity score of 9.8 and allows unauthenticated attackers to execute arbitrary
Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE
Cybersecurity researchers have disclosed details of a critical security flaw impacting LeRobot, Hugging Face's open-source robotics platform with nearly 24,000 GitHub stars, that could be exploited to achieve remote code execution. The vulnerability in question is CVE-2026-25874 (CVSS score: 9.3), w
Malicious npm Package Turns Hugging Face Into Malware CDN and Exfiltration Backend
A rogue npm package named js-logger-pack has been caught quietly turning Hugging Face, a widely trusted AI model hosting platform, into both a malware delivery network and a stolen data storage backend. The campaign marks a clear shift in how attackers abuse legitimate cloud services to run suppl
Malicious npm Package Hijacks Hugging Face for Malware Delivery
Malicious npm package js-logger-pack is now abusing Hugging Face not just as a malware CDN, but also as a live exfiltration backend for stolen data, turning a popular AI platform into part of a full-featured cross‑platform implant chain. Earlier campaign phases already used Hugging Face as a simp
Attackers Weaponize CVE-2026-39987 to Spread Blockchain-Based Backdoor Via Hugging Face
A critical vulnerability in the marimo Python notebook platform is now being actively used by attackers to deploy a blockchain-powered backdoor on developer systems. The flaw, tracked as CVE-2026-39987, allows remote code execution without authentication, making it a dangerous entry point for thr
Weaponized CVE-2026-39987 Pushes Blockchain Backdoor Through Hugging Face
Attackers are rapidly exploiting CVE-2026-39987 in the marimo Python notebook platform to deploy a new NKAbuse backdoor variant hosted on Hugging Face Spaces, turning AI/ML developer environments into high‑value infection points. The campaign combines pre-auth RCE, credential theft, lateral movem
Hackers exploit Marimo flaw to deploy NKAbuse malware from Hugging Face
Hackers are exploiting a critical vulnerability in Marimo reactive Python notebook to deploy a new variant of NKAbuse malware hosted on Hugging Face Spaces. [...]
February 2026
Open-Source llama.cpp Finds Long-Term Home at Hugging Face
ggml.ai has joined Hugging Face to
ggml.ai joins Hugging Face to ensure the long-term progress of Local AI
ggml.ai joins Hugging Face to ensure the long-term progress of Local AI I don't normally cover acquisition news like this, but I have some thoughts. It's hard to overstate the impact Georgi Gerganov
Toolradar Research
See Hugging Face in context: The SaaS Press Index 2026
We analyzed 6,704 press mentions across 290 outlets to rank which SaaS tools win coverage. Find Hugging Face's position relative to the 488 most-covered tools.
Read the report