Hugging Face and ClawHub compromised with hundreds of malicious AI models and agent skills as supply chain attacks target AI infrastructure

The two most important software supply chains in artificial intelligence have been systematically compromised. Hugging Face, the repository that hosts more than a million machine learning models used by virtually every AI company on the planet, has been found to contain hundreds of malicious models capable of executing arbitrary code on the machines of anyone who downloads them. ClawHub, the public registry for OpenClaw’s AI agent skills, has been infiltrated by a coordinated campaign that planted 341 malicious skills designed to steal credentials, open reverse shells, and hijack AI agents for cryptocurrency mining.

The attacks are different in technique but identical in logic. Both exploit the implicit trust that developers place in shared repositories. Both use the infrastructure that the AI industry built to accelerate development as the vector for compromising it.

The models

Hugging Face has been aware of malicious models on its platform since at least 2024, when security firms JFrog and ReversingLabs independently identified models containing hidden backdoors. The problem has not been contained. It has scaled.

Protect AI, which partnered with Hugging Face to scan the platform’s model library, has examined more than four million models and identified approximately 352,000 unsafe or suspicious issues across 51,700 models. JFrog found more than 100 models capable of arbitrary code execution. The attack technique, known as “nullifAI,” exploits Python’s pickle serialisation format, the standard method for packaging machine learning models. Attackers embed malicious Python code at the start of the pickle byte stream and compress the file using 7z rather than the default ZIP format, which breaks Hugging Face’s PickleScan detection tool.

The payloads are not subtle. Security researchers have documented models that establish reverse shells connecting to hardcoded IP addresses, giving attackers direct access to the machine of anyone who loads the model. Others execute credential theft, exfiltrate environment variables, or download secondary malware. A data scientist who downloads what appears to be a legitimate model for a research project or production pipeline is, in some cases, handing control of their machine to an attacker.

Hugging Face has responded by partnering with JFrog and Wiz to improve scanning capabilities. JFrog’s integration has eliminated 96 per cent of false positives in malicious model detection. But the platform’s open architecture, which is the source of its value to the AI community, is also the source of its vulnerability. Anyone can upload a model. The scanning catches known patterns. The attackers who designed nullifAI built their technique specifically to evade the scanning.

The skills

ClawHub, the registry for OpenClaw’s AI agent ecosystem, faces a different but related problem. OpenClaw has grown to 3.2 million users and attracted partnerships with OpenAI, but its skill registry has become a target for attackers who understand that an AI agent executing a malicious skill has access to whatever the agent has access to, which in enterprise environments can mean databases, APIs, internal networks, and cloud credentials.

Koi Security audited all 2,857 skills on ClawHub and found 341 malicious entries. Of those, 335 were traced to a single coordinated operation called “ClawHavoc.” Separately, Snyk’s ToxicSkills research examined the broader ecosystem and found that 36 per cent of all AI agent skills contain security flaws, with approximately 900 skills, roughly 20 per cent of the total, classified as malicious. Thirty skills from a single author were silently co-opting AI agents for cryptocurrency mining.

The ClawHub attacks are particularly dangerous because of the nature of AI agent architectures. The rise of model context protocol and similar standards in the agentic era has created a new category of software supply chain in which AI systems autonomously select and execute tools from external registries. A compromised skill does not require a human to click a link or open a file. It requires an AI agent to select the skill as part of a workflow, at which point the malicious code executes with the agent’s permissions.

The pattern

The Hugging Face and ClawHub compromises are the AI-specific manifestation of a supply chain attack pattern that has been accelerating across the software industry. In March 2026, the LiteLLM package on PyPI was compromised, potentially exposing 500,000 credentials including API keys for Meta, OpenAI, and Anthropic. Meta froze its AI data work after the breach put training secrets at risk. In April, a Bitwarden CLI package on npm was hijacked for 90 minutes with a payload specifically designed to harvest credentials from AI coding tools including Claude Code, Cursor, Codex CLI, and Aider. Days later, the PyTorch Lightning package was compromised for 42 minutes with a credential-stealing payload from the “Mini Shai-Hulud” campaign.

The European Commission itself was breached after attackers poisoned Trivy, an open-source security scanning tool, demonstrating that even the tools designed to detect supply chain attacks can become vectors for them. The United States Department of Defence published formal guidance on AI and ML supply chain risks in March 2026, acknowledging at an institutional level that the AI software ecosystem has become a national security concern.

The common thread is speed. The PyTorch Lightning compromise lasted 42 minutes. The Bitwarden CLI hijack lasted 90 minutes. The LiteLLM attack window is estimated at hours. These are not persistent campaigns that defenders have weeks to detect. They are brief, targeted insertions that exploit the automated dependency resolution systems that modern software development relies on. A developer who runs a package install at the wrong moment downloads the compromised version. The window closes. The damage is done.

The asymmetry

The AI industry has invested hundreds of billions of dollars in model training, inference infrastructure, and application development. The investment in securing the repositories through which that software is distributed has been a fraction of the total. Hugging Face has partnered with security firms. ClawHub has implemented basic moderation. Package registries have added two-factor authentication requirements. None of these measures has prevented the attacks documented above.

State actors can already produce AI-powered malware that evades conventional detection, and the supply chain attacks on AI repositories represent a natural evolution of that capability. The models and skills hosted on Hugging Face and ClawHub are consumed by systems that make automated decisions, process sensitive data, and operate with elevated permissions. A compromised model in a production AI pipeline is not equivalent to a virus on a personal computer. It is a backdoor into an automated decision-making system that the organisation trusts precisely because it appears to be a legitimate component of its AI stack.

The fundamental problem is architectural. The AI industry built its development infrastructure on the same open-registry model that has defined software development for the past two decades: centralised repositories where anyone can publish, automated tools that download and execute code from those repositories, and a culture of trust that treats popular packages and models as implicitly safe. The difference is that AI models are not just code. They are serialised objects that execute during deserialisation, a property that makes pickle-based models inherently more dangerous than traditional software packages, because the malicious code runs the moment the model is loaded, before any human has a chance to inspect it.

The AI supply chain is now the most attractive target in software security. The repositories are trusted. The consumers are automated. The payloads execute on load. And the industry that built these systems is spending its security budget on model alignment and prompt injection while the infrastructure through which the models are distributed remains, in the assessment of every major security firm that has examined it, comprehensively compromised.