
Hugging Face has confirmed a security breach unlike anything the AI platform has faced before — an intrusion planned and executed end-to-end by an autonomous AI agent system, with no human operator visibly at the keyboard.
The company disclosed this week that attackers gained unauthorised access to a limited set of internal datasets and service credentials after compromising its production infrastructure over a single weekend. Hugging Face says public models, datasets, Spaces, and its software supply chain were verified clean, though an assessment of potential partner and customer data exposure is still underway.
The entry point was the platform's own data-processing pipeline. A malicious dataset abused two code-execution flaws — a remote-code dataset loader and a template injection in a dataset configuration file — to run code on a processing worker.
From there, the agent framework escalated to node-level access, harvested cloud and cluster credentials, and moved laterally across several internal clusters, executing more than 17,000 recorded actions through a swarm of short-lived sandboxes with self-migrating command-and-control (C2) staged on public services. The underlying LLM powering the attack remains unidentified.
Ironically, the breach was caught by AI as well. Hugging Face's LLM-based triage system correlated anomalous telemetry signals and flagged the compromise, and the company then unleashed its own analysis agents on the full attacker action log — compressing days of forensic work into hours.
That forensic effort surfaced an uncomfortable asymmetry. When responders first fed real exploit payloads and C2 artifacts into frontier commercial models, safety guardrails blocked the requests, unable to distinguish an incident responder from an attacker. The team ultimately ran the investigation on GLM 5.2, an open-weight model hosted on its own infrastructure, which also prevented stolen credentials from leaving the environment. Hugging Face's advice to defenders: vet and stage a capable self-hosted model before an incident, not during one.
The company has patched the root vulnerabilities, rebuilt compromised nodes, rotated affected secrets, and notified law enforcement, with outside forensic specialists now reviewing its security posture.
Users are urged to rotate access tokens and review recent account activity.