Hugging Face and ClawHub were breached, leading to the infiltration of hundreds of harmful AI models and agent capabilities as supply chain attacks focus on AI infrastructure.

      **TL;DR** Hugging Face and ClawHub, the two largest repositories for AI models and agent skills, have been compromised with numerous malicious entries that steal credentials, create backdoors, and hijack AI agents for cryptocurrency mining.

      The primary software supply chains in artificial intelligence have been systematically attacked. Hugging Face, which hosts over a million machine learning models utilized by nearly every AI company globally, has been found to contain hundreds of malicious models capable of executing arbitrary code on the systems of users who download them. ClawHub, the public registry for OpenClaw's AI agent skills, has suffered a targeted infiltration that introduced 341 harmful skills aimed at stealing credentials, setting up reverse shells, and commandeering AI agents for cryptocurrency mining.

      While the methods of attack vary, they share a common goal: exploiting developers' implicit trust in shared repositories. Both attacks leverage the infrastructure built by the AI industry to facilitate development, using it as the medium for compromising security.

      **The Models**

      Hugging Face has been aware of harmful models on its platform since at least 2024 when JFrog and ReversingLabs independently discovered models with concealed backdoors. The issue has not been isolated and has escalated. Protect AI, which collaborated with Hugging Face to examine the platform's model library, scrutinized over four million models and found around 352,000 unsafe or suspicious concerns across 51,700 models. JFrog identified more than 100 models capable of arbitrary code execution. The attack approach, referred to as "nullifAI," takes advantage of Python's pickle serialization format, the standard method for packaging machine learning models. Attackers embed harmful Python code at the beginning of the pickle byte stream and compress the file using 7z instead of the typical ZIP format, which bypasses Hugging Face's PickleScan detection tool.

      The malicious payloads are overt. Security researchers have documented models that establish reverse shells tied to hardcoded IP addresses, which grant attackers direct access to the machines of those who load the model. Others are capable of credential theft, exfiltration of environment variables, or downloading additional malware. A data scientist who downloads what seems to be a legitimate model for research or production could be unwittingly giving control of their machine to an attacker.

      In response, Hugging Face has partnered with JFrog and Wiz to enhance their scanning capabilities. JFrog's integration has reduced false positives in malicious model detection by 96 percent. However, the platform's open architecture, which contributes to its value in the AI community, also makes it vulnerable. Anyone can upload models, and the scanning catches known patterns, but the attackers behind nullifAI designed their method specifically to elude detection.

      **The Skills**

      ClawHub, the registry for OpenClaw's AI agent ecosystem, confronts a different yet related issue. OpenClaw's user base has grown to 3.2 million and has formed partnerships with OpenAI, but its skill registry has become a target for attackers who recognize that an AI agent executing a harmful skill has access to the same resources as the agent, including databases, APIs, internal networks, and cloud credentials.

      Koi Security audited all 2,857 skills on ClawHub and uncovered 341 malicious entries. Of these, 335 were linked to a single coordinated operation named "ClawHavoc." Additionally, Snyk's research on ToxicSkills revealed that 36 percent of all AI agent skills contain security vulnerabilities, with approximately 900 skills—about 20 percent of the total—classified as malicious. Thirty skills from a single source were covertly utilizing AI agents for cryptocurrency mining.

      The attacks on ClawHub are particularly perilous due to the architecture of AI agents. The emergence of model context protocols and similar standards has created a new type of software supply chain where AI systems autonomously pick and execute tools from external registries. A compromised skill doesn’t require a human to click a link or open a file; it simply needs an AI agent to select the skill as part of a workflow, causing the malicious code to run with the agent’s permissions.

      **The Pattern**

      The compromises of Hugging Face and ClawHub reflect an AI-specific version of a supply chain attack pattern that has been intensifying across the software industry. In March 2026, the LiteLLM package on PyPI was infiltrated, potentially exposing 500,000 credentials, including API keys for Meta, OpenAI, and Anthropic. Meta halted its AI data work following the breach, which threatened its training secrets. In April, a Bitwarden CLI package on npm was hijacked for 90 minutes with a payload specifically crafted to capture credentials from AI coding tools like Claude Code, Cursor, Codex CLI, and Aider. A few days later, the PyTorch Lightning package was compromised for 42 minutes, embedding a credential-stealing payload from the "Mini Sh