Security

Hugging Face: Autonomous AI Agent Hacks Internal Systems

2 min read
Security analysts review server logs and network diagrams at night after a cyberattack on the infrastructure of Hugging Face. Image generated with GPT Image 2
Security analysts review server logs and network diagrams at night after a cyberattack on the infrastructure of Hugging Face.

TL;DR Too Long; Didn’t read

Hugging Face has disclosed an attack carried out by an autonomous AI agent over a weekend with more than 17,000 individual actions. The agent exploited two vulnerabilities in the dataset pipeline to gain access to internal clusters and credentials. According to the company, public models and datasets remained unaffected.

Key takeaways

  • More than 17,000 automated attack actions recorded over a single weekend.
  • A prepared dataset with two pipeline vulnerabilities provided the initial access.
  • Commercial AI models refused analysis because requests contained exploit code.
  • Hugging Face resorted to the open model GLM-5.2 for forensics.
  • Public models, datasets, and Spaces remained untouched according to the company.
  • Affected users are advised to renew their access tokens immediately.

Hugging Face has disclosed a security incident in which an autonomous AI agent infiltrated the company’s internal infrastructure without ongoing human control. The attacker executed more than 17,000 individual actions in ephemeral computing environments over the weekend, reaching several internal clusters.

Manipulated Dataset Opens Access to Internal Servers

According to Hugging Face, the attack began with a prepared dataset. This combined two vulnerabilities in the processing pipeline: a loader with remote execution risk and a template injection in the dataset configuration. Through this, the agent initially gained access to individual processing servers of the company.

From there, the attacker gradually moved on, first to individual compute nodes, then to several internal clusters. In the process, they accessed a limited inventory of internal datasets and stole several service credentials. For the individual steps, the agent used an autonomous framework, according to the company, which independently selected targets and executed actions without a human approving each step individually. Overall, Hugging Face recorded more than 17,000 such actions, distributed across numerous ephemeral sandboxes in a single weekend, according to its own, independently unverified statements.

Public models, datasets, and Spaces on the platform were reportedly not manipulated, nor was the software supply chain. Customers who obtain models or datasets from Hugging Face are therefore not at immediate risk from the incident itself.

Open Model Takes Over Forensic Evaluation

In the investigation, Hugging Face encountered an obstacle: commercial AI models reportedly refused to analyze individual attack steps. The reason was that the associated data packages contained exploit code, thus violating the usage policies of the providers. The company therefore resorted to the open model GLM-5.2 and conducted the forensic evaluation on its own infrastructure.

“The attacker was not bound by any usage policy, whereas our own forensic work was,” Hugging Face writes in the report. Using this method, the security team evaluated more than 17,000 logged attacker events. The investigation thus took only hours instead of the usual several days. The specialized service HyperAI classified the incident as evidence of a structural asymmetry: attacking AI systems reportedly face no restrictions, while defensive tools are hampered by their own safety filters.

In response, Hugging Face closed the affected code paths, revoked compromised credentials, and brought in external forensic specialists as well as law enforcement agencies. Users of the platform are advised to renew their access tokens and check their account activity.

It remains unclear who is behind the attack and whether it was a security researcher, a competitor, or criminal actors — Hugging Face provides no clues in this regard. It will be crucial whether other providers of model and dataset platforms address similar asymmetries between offensive and defensive AI tools before comparable automated attacks become standard practice.

Frequently asked questions

Are models stored at Hugging Face by customers at risk due to the incident?

According to the company, there is no evidence of tampering with public models, datasets, or the software supply chain. Those who are uncertain should still check their account activity afterwards.

What should users of the platform do now?

Hugging Face recommends renewing access tokens and monitoring for unusual activity in their accounts. A dedicated contact address for security inquiries is available in case of suspicions.

Who is behind the attack?

Hugging Face does not name any responsible party in the disclosure. The company has referred the case to external forensic experts and law enforcement.

Is this the first known case of an attack executed autonomously by AI?

Hugging Face describes the incident as a rare documented example of a largely independently executed attack of this scale. Independently confirmed comparable cases of similar magnitude have hardly been publicly documented so far.

Why could a commercial AI model not assist in the investigation?

The analysis requests contained exploit code from the attack, which was blocked by the usage policies of the commercial providers. Therefore, Hugging Face resorted to an open model on its own infrastructure.


← Back to the blog