Hugging Face Says AI Agent Drove Production Infrastructure Intrusion
Hugging Face said an autonomous AI agent system drove an intrusion into part of its production infrastructure, reaching internal datasets and service credentials. The company said public models, datasets and Spaces were not tampered with, while its assessment of partner or customer data remains unfinished.

An autonomous AI agent system drove an intrusion into part of Hugging Face’s production infrastructure, according to the company’s July 2026 security disclosure.
The incident involved unauthorised access to a limited set of internal datasets and several service credentials.
Hugging Face reported no evidence of tampering with public user-facing models, datasets or Spaces, and its disclosure listed container images and published packages as verified clean.
Malicious Dataset Reached Processing Infrastructure
The intrusion began in Hugging Face’s data-processing pipeline.
The disclosure identified two abused code-execution paths: a remote-code dataset loader and template injection in a dataset configuration.
Those paths let code run on a processing worker.
After that access, the actor obtained node-level privileges, collected cloud and cluster credentials, and moved across several internal clusters during a weekend.
The disclosure described the campaign as the work of an autonomous agent framework that appeared to be built on an agentic security-research harness.
The model used by the attacker remains unknown, and the campaign executed many thousands of actions across short-lived sandboxes.
Credentials Rotated And Entry Paths Closed
The remediation closed the dataset code-execution paths used for initial access and removed the attacker’s foothold from affected clusters.
Compromised nodes were rebuilt, and affected credentials and tokens were revoked and rotated.
The remediation also included a broader precautionary rotation of secrets, stricter admission controls on clusters and high-severity alerting designed to page a responder in minutes.
Hugging Face is working with outside cybersecurity forensic specialists and has reported the incident to law enforcement agencies.
For users, the company recommended rotating access tokens and reviewing recent account activity.
The disclosure gave [email protected] as the contact point for affected users or security reports.
LLM Analysis Rebuilt More Than 17,000 Events
AI-assisted detection first surfaced the compromise, according to the disclosure.
Its anomaly-detection pipeline uses LLM-based triage over security telemetry, and correlated signals flagged the incident.
The response team then ran LLM-driven analysis agents over the attacker action log, which contained more than 17,000 recorded events.
That review reconstructed the timeline, extracted indicators of compromise, mapped touched credentials and separated genuine impact from decoy activity.
Hosted frontier-model APIs were not used for the forensic review after providers’ safety guardrails blocked requests containing real attack commands, exploit payloads and command-and-control artefacts.
The response team instead ran the analysis on GLM 5.2, an open-weight model, on company infrastructure so attacker data and referenced credentials did not leave that environment.
Undisclosed items include any affected partner or customer data, the model that powered the attacker’s agents, and any law-enforcement attribution for the actor.


















