Tag: hugging face
6 articles

Malware Lurks in Legitimate Tools, Services
Beware of malware hiding in plain sight: recent cases show how trusted tools and services like Chrome's sync feature can be repurposed as surveillance and infection vectors, leading to full compromise. Malicious packages, like 11 fake NuGet game utilities, can sneak in undetected, downloading second-stage payloads and wreaking havoc.

ChromaDB Flaw Enables Server Hijacking via AI Model Exploit
A newly discovered vulnerability, CVE-2026-45829, in ChromaDB's Python FastAPI variant allows hackers to hijack servers by exploiting AI models, with a security expert noting that authentication is present but poorly placed. This flaw lets unauthenticated attackers run arbitrary code on exposed servers by cleverly manipulating API endpoints.

Hugging Face Repository Exploits Typosquatting to Spread Infostealer Malware
Security researchers have uncovered a cunning malware attack on Hugging Face, where a fake repository mimicked a popular AI project, racking up over 244,000 downloads and 667 likes in just 18 hours. The malicious repository used a classic typosquatting trick to deceive users searching for the genuine project.

Malicious Repo Exploits OpenAI Model to Deliver Info Stealer
A malicious repository disguised as OpenAI's legitimate Privacy Filter model racked up 244,000 downloads and became the #1 trending project on Hugging Face, but actually hid a sneaky Rust-based information stealer targeting Windows machines. The fake repository, Open-OSS/privacy-filter, expertly impersonated OpenAI's release, even copying the official model card to gain users' trust.

Malicious Hugging Face repository targets Windows users with infostealer malware
Malicious actors on Hugging Face tricked Windows users into downloading infostealer malware by creating a fake repository that mimicked OpenAI's popular Privacy Filter release. The rogue repository briefly shot to the top of Hugging Face's trending list, racking up 244,000 downloads before being swiftly removed.

Hackers exploit Marimo flaw to spread NKAbuse malware via Hugging Face
Hackers are exploiting a critical flaw in Marimo's reactive Python notebook to spread a new variant of NKAbuse malware, sneaking malicious payloads onto Hugging Face Spaces, a popular platform for sharing machine learning models. This alarming attack highlights the need for vigilance when it comes to defending against malware disguised as code-sharing tools.