top of page
ALL POSTS
Fake OpenAI Repository on Hugging Face Distributes Infostealer Malware, Reaches Top Downloads
Key Findings Malicious repository impersonating OpenAI's Privacy Filter reached #1 trending on Hugging Face with 244,000 downloads in 18 hours before removal Typosquatting attack used copied model descriptions and fake AI code to distribute Rust-based information stealer malware Multi-stage attack chain included privilege escalation, Windows Defender evasion, and credential theft targeting browsers, wallets, and Discord At least six additional malicious repositories using sim
May 113 min read
Critical Unpatched Vulnerability in Hugging Face LeRobot Enables Unauthenticated Remote Code Execution
Key Findings CVE-2026-25874 (CVSS 9.3) in Hugging Face LeRobot allows unauthenticated remote code execution via unsafe pickle deserialization Vulnerability exists in PolicyServer and robot client components using unencrypted gRPC channels without TLS Flaw remains unpatched as of now, with fix planned for version 0.6.0 Nearly 24,000 GitHub stars indicate significant adoption despite the critical security issue Attackers can steal credentials, compromise connected robots, and m
Apr 292 min read
bottom of page
