HiddenLayer also said it discovered six additional Hugging Face repositories containing virtually identical loader logic that share infrastructure with the cited attacks.
This incident follows other warnings about malicious AI models on Hugging Face, including a poisoned AI SDK and a fake OpenClaw installer. What they have in common is that attackers treat AI development workflows as a route into a typically secure environment. Rather than the model itself, AI repositories often contain executable code, setup instructions, dependency files, notebooks, scripts, and surrounding elements that can cause problems.
Sakshi Grover, senior research manager for cybersecurity services at IDC, said traditional SCA was designed to inspect dependency manifests, libraries, and container images. It is less effective at identifying malicious loader logic within AI repositories. They also cited IDC’s November 2025 FutureScape report, which included a call for 60% of agent AI systems to have a bill of materials by 2027. This helps companies track which AI artifacts they are using, their sources, which versions have been approved, and whether they contain executable components.
