Hugging Face has disclosed a security incident in which an autonomous AI agent infiltrated the company’s internal infrastructure without ongoing human control. The attacker executed more than 17,000 individual actions in ephemeral computing environments over the weekend, reaching several internal clusters.
Manipulated Dataset Opens Access to Internal Servers
According to Hugging Face, the attack began with a prepared dataset. This combined two vulnerabilities in the processing pipeline: a loader with remote execution risk and a template injection in the dataset configuration. Through this, the agent initially gained access to individual processing servers of the company.
From there, the attacker gradually moved on, first to individual compute nodes, then to several internal clusters. In the process, they accessed a limited inventory of internal datasets and stole several service credentials. For the individual steps, the agent used an autonomous framework, according to the company, which independently selected targets and executed actions without a human approving each step individually. Overall, Hugging Face recorded more than 17,000 such actions, distributed across numerous ephemeral sandboxes in a single weekend, according to its own, independently unverified statements.
Public models, datasets, and Spaces on the platform were reportedly not manipulated, nor was the software supply chain. Customers who obtain models or datasets from Hugging Face are therefore not at immediate risk from the incident itself.
Open Model Takes Over Forensic Evaluation
In the investigation, Hugging Face encountered an obstacle: commercial AI models reportedly refused to analyze individual attack steps. The reason was that the associated data packages contained exploit code, thus violating the usage policies of the providers. The company therefore resorted to the open model GLM-5.2 and conducted the forensic evaluation on its own infrastructure.
“The attacker was not bound by any usage policy, whereas our own forensic work was,” Hugging Face writes in the report. Using this method, the security team evaluated more than 17,000 logged attacker events. The investigation thus took only hours instead of the usual several days. The specialized service HyperAI classified the incident as evidence of a structural asymmetry: attacking AI systems reportedly face no restrictions, while defensive tools are hampered by their own safety filters.
In response, Hugging Face closed the affected code paths, revoked compromised credentials, and brought in external forensic specialists as well as law enforcement agencies. Users of the platform are advised to renew their access tokens and check their account activity.
It remains unclear who is behind the attack and whether it was a security researcher, a competitor, or criminal actors — Hugging Face provides no clues in this regard. It will be crucial whether other providers of model and dataset platforms address similar asymmetries between offensive and defensive AI tools before comparable automated attacks become standard practice.


