Back to section
Bezpečnosť 🔥 Top

Hugging Face discloses security incident: autonomous AI agent attacked production infrastructure

Piatok 17. júla 2026 Source: Hugging Face

What happened

On July 16, 2026, Hugging Face disclosed a security incident in which an autonomous AI agent exploited two vulnerabilities in the dataset processing pipeline — a remote-code (RCE) dataset loader and template injection in dataset configuration — to gain initial access on a worker node.

Context and impact

The attacker escalated to node-level access, moved laterally through internal clusters over a weekend, and compromised a set of credentials. This is among the first publicly confirmed incidents where an autonomous AI agent conducted an end-to-end cyberattack on a major AI platform's production infrastructure.

Details

  • Attack vector: malicious dataset with RCE loader + template injection in configuration
  • Affected: a limited set of internal datasets and several service credentials
  • Not affected: public models, datasets, Spaces, software supply chain
  • Response: vulnerabilities patched, compromised nodes rebuilt, credentials rotated
  • Forensics: external cybersecurity team + LLM-assisted analysis of 17,000+ attacker log events
  • Reported: to law enforcement
Open original source Hugging Face