Hugging Face, ClawHub Abused for Malware Distribution via Trojanized AI Files
Threat actors are distributing malware through AI platforms Hugging Face and ClawHub by uploading trojanized shared files that trick users into executing malicious code.
Threat actors are actively abusing AI distribution platforms Hugging Face and ClawHub to distribute malware, according to a new report from cybersecurity firm Acronis. The attacks do not compromise the AI models themselves but rely on social engineering and indirect prompt injection to trick users into downloading and executing malicious code disguised as legitimate shared files.
On ClawHub, an open-source ecosystem for building AI agents, Acronis identified nearly 600 malicious "skills" — community-built extensions that expand agent capabilities — spread across 13 developer accounts. Two accounts, hightower6eu and sakaen736jih, hosted the bulk of the malicious content, with 334 and 199 skills respectively. These skills deliver trojans, cryptominers, and the Atomic macOS Stealer (AMOS) to both Windows and macOS systems.
The modular architecture of OpenClaw allows AI agents to execute external code with high privileges. By injecting indirect prompts into resources the AI reads, attackers can instruct agents to download and execute payloads on users' machines without their knowledge. "It appears that threat actors distributing payloads through traditional vectors such as malvertisement are increasingly shifting toward poisoning trusted distribution channels," Acronis noted.
Across two separate campaigns abusing Hugging Face, attackers created repositories hosting malicious files designed to stage multi-step infection chains. These chains deliver infostealers, trojans, malware loaders, and other payloads targeting Windows, Linux, and Android systems. The campaigns exploit the trust users place in Hugging Face as a legitimate repository for AI models and code.
Acronis warned that accurately measuring the full scale of this activity is difficult due to the platforms' size and the dynamic nature of hosted content. "The true scale of this activity is likely higher but requires further and deeper investigation," the company stated. The findings highlight a growing trend of attackers moving from traditional distribution vectors like malvertising to poisoning trusted AI ecosystems.
This abuse mirrors previous incidents where Hugging Face was used to deploy Android remote access trojans, and underscores the security challenges posed by rapidly expanding AI platforms. As a service platforms. Organizations and individual users are advised to exercise caution when downloading files from AI repositories and to verify the authenticity of shared code before execution.