Hugging Face has disclosed a security incident in which an attacker gained access to part of its production infrastructure through weaknesses in dataset processing. The company says the campaign was operated end to end by an autonomous AI agent system, making the incident a significant example of agentic tooling being used in a sustained real-world intrusion.
The initial access involved a malicious dataset that abused two code-execution paths: a remote-code dataset loader and template injection in a dataset configuration. Hugging Face says the attacker then escalated to node-level access, collected cloud and cluster credentials and moved laterally into several internal clusters over a weekend.
Impact remains under assessment
Hugging Face identified unauthorised access to a limited set of internal datasets and several credentials used by its services. It has not yet completed its assessment of whether partner or customer data was affected and says it will contact affected parties where required. That uncertainty is important: the disclosure provides a current boundary for confirmed impact, not a final accounting.
The company says it has found no evidence that public, user-facing models, datasets or Spaces were altered. It also reports that container images, published packages and the wider software supply chain were checked and found clean. Users should distinguish that statement from a guarantee that no other data was accessed, because the investigation is continuing.
As a precaution, Hugging Face recommends that users rotate access tokens and review recent account activity. Organisations that connect automated systems to the Hub should also check token scope, recent downloads, service-account use and whether credentials have been copied into build or deployment environments.
Containment and remediation
Hugging Face says it closed the dataset code-execution paths used for entry, removed the attacker's foothold, rebuilt compromised nodes and revoked affected credentials and tokens. It has begun a broader precautionary secret rotation, added stricter cluster admission controls, expanded guardrails and changed high-severity alerting so responders are paged within minutes.
External cybersecurity forensic specialists are assisting the investigation, and the company has reported the incident to law enforcement. Those steps should help validate the internal reconstruction, but no independent forensic report or complete timeline was available with the initial disclosure.
AI used on both sides
According to Hugging Face, the attacker used a swarm of short-lived sandboxes to perform thousands of actions and moved command-and-control activity across public services. The company says it has not identified which model powered the attack. That limits conclusions about the system's origin, while still showing how automation can compress reconnaissance, exploitation and lateral movement.
Hugging Face also used AI-assisted detection and analysis during its response. Its systems correlated security telemetry to surface the intrusion, then analysis agents reviewed more than 17,000 logged events. The company says commercial hosted models initially blocked parts of that defensive analysis because the logs contained exploit commands and payloads, so it ran the open-weight GLM 5.2 model on its own infrastructure.
The incident reinforces two operational lessons for AI platforms: dataset ingestion is a high-risk execution boundary, and incident-response teams may need approved, locally controlled analysis models before a crisis occurs. Customers should now focus on credential hygiene and official updates while Hugging Face completes its assessment.