model-hub-security
Safeguard articles tagged "model-hub-security" — guides, analysis, and best practices for software supply chain and application security.
3 articles
Hugging Face as Malware CDN and Exfiltration Backend: The DPRK-Linked npm Campaign of May 2026
OX Security disclosed a DPRK-aligned campaign that abused Hugging Face as a malware host and data-exfiltration backend, using public repos to serve second-stage payloads and private datasets to receive stolen developer secrets.
The Fake OpenAI 'privacy-filter' Model: How a Typosquat Hit #1 on Hugging Face in May 2026
A repository named Open-OSS/privacy-filter impersonated OpenAI's release, copied its model card verbatim, and shipped a loader.py that pulled an infostealer. It reached #1 trending with ~244,000 downloads before removal.
Risks of downloading malicious pretrained models from pub...
Real incidents show malicious Hugging Face models evading scanners with pickle exploits and reverse shells. Here's what teams need to know before the next pull.