A malware campaign targeting AI developers has sent shockwaves through the open AI research community. A malicious repository on the model-sharing platform Hugging Face presented itself as an official OpenAI release, but in reality contained infostealer software designed to harvest information from Windows machines. The attack was uncovered by security firm HiddenLayer, according to AI News.
A Quarter of a Million Downloads Before Detection
Before the repository was identified and removed, it had recorded approximately 244,000 downloads. HiddenLayer stresses, however, that this figure likely does not reflect the actual number of victims. The attackers may have artificially inflated the download count to lend the model an air of legitimacy and popularity — a classic social engineering tactic that lowers the guard of potential victims.
The download count may have been artificially inflated by the attackers to make the model appear more popular and credible.
Whether and to what extent machines were actually compromised has not yet been verified in available source material. The true scale of the damage should therefore be treated with caution until independent analyses are available.

Hugging Face: Multiple Security Layers — But Not Watertight
Hugging Face is today the world's largest open platform for AI models and datasets. The platform has implemented a range of security measures to catch malicious uploads.
Despite these layers of protection, the platform has on several occasions struggled to catch sophisticated malware. As early as February and March 2024, more than 100 malicious AI models were discovered on Hugging Face, according to research sources. Attackers have exploited weaknesses in the Pickle serialisation format — including by compressing models using the 7z format instead of standard ZIP, which allows malicious code to execute before the Picklescan security scanner completes its analysis.
False Authority as an Attack Vector
What sets this incident apart from previous cases is the use of OpenAI's brand name as a tool of social manipulation. By impersonating a well-known and trusted organisation, attackers increase the likelihood that users will download files without thoroughly verifying the source. This is a variant of classic brand impersonation, now directed squarely at the AI developer community.
Experts from the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) recommend that AI developers actively use tools such as Huntr — a bug bounty platform developed specifically for AI models and platforms — and maintain up-to-date security practices. They also advise preferring safer serialisation formats such as Safetensors over Pickle wherever possible.
Structural Vulnerability in the Open AI Ecosystem
The incident highlights a fundamental tension within the open AI ecosystem: the easier it is to share and download models, the easier it also becomes to exploit the trust that has been built up around recognised organisations. Hugging Face hosts millions of models, and the scaling challenge for security review is considerable.
The security offering is growing — Responsible AI Labs (RAIL) at Hugging Face is developing, among other things, agent security pipelines featuring pre-evaluation of tool calls and prompt injection detection. But this case demonstrates that technical measures alone are insufficient when attackers rely on social engineering just as much as technical loopholes.
Hugging Face had not publicly commented on the specific incident in available source material as of the publication date.
