Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Next.js Launches Monthly Security Releases, Patches 9 Vulnerabilities
July 16, 2026
SonicWall SMA 1000 Zero-Day Actively Exploited
July 16, 2026
AI Penetration Testing Now Covers Retrieval Poisoning, Memory, and Sensor Attacks
July 16, 2026
Home/CyberSecurity News/Hugging Face, Clawpack Vulnerabilities Let Attackers Deploy Malware
CyberSecurity News

Hugging Face, Clawpack Vulnerabilities Let Attackers Deploy Malware

Key Takeaways An active malware campaign is exploiting prominent AI platforms, Hugging Face and ClawHub, to distribute trojans, cryptominers, and infostealers. The attacks represent a shift in supply...

Sarah simpson
Sarah simpson
May 8, 2026 3 Min Read
51 0

Key Takeaways

  • An active malware campaign is exploiting prominent AI platforms, Hugging Face and ClawHub, to distribute trojans, cryptominers, and infostealers.
  • The attacks represent a shift in supply chain vulnerabilities, targeting trusted AI ecosystems rather than traditional software repositories.
  • Threat actors are leveraging techniques like indirect prompt injection in ClawHub and multi-stage infection chains via Hugging Face repositories.
  • Both Windows and macOS systems are targeted, with payloads including AMOS Stealer and cryptominers.
  • Defenders must treat AI models and extensions as untrusted inputs and implement robust validation and monitoring.

A sophisticated malware distribution campaign is actively exploiting the trusted environments of leading AI platforms, Hugging Face and ClawHub, to deploy a range of malicious payloads. These include trojans, cryptominers, and information stealers, all disguised as legitimate AI tools and agent extensions.

Table Of Content

  • Key Takeaways
  • ClawHub Ecosystem Under Attack
  • Hugging Face Exploitation
  • ITHKRPAW Campaign
  • FAKESECURITY Campaign
  • Payloads and Persistence
  • What You Should Do

This campaign signifies a critical evolution in supply chain attacks, moving beyond conventional software repositories to infiltrate the increasingly vital and trusted AI ecosystems.

ClawHub Ecosystem Under Attack

Within the OpenClaw ecosystem, which is distributed via ClawHub, researchers at Acronis TRU have uncovered 575 malicious “skills” published across 13 distinct developer accounts. These skills are trojanized applications designed to appear useful, such as a YouTube transcript summarizer, while secretly instructing users to download password-protected archives or execute encoded commands.

The campaign within ClawHub appears to be predominantly driven by two distinct threat actors: “hightower6eu,” responsible for an alarming 334 malicious skills (58% of the total), and “sakaen736jih,” linked to 199 skills (34.6%). The remaining 11 accounts contributed smaller volumes of malicious content.

A critical technique observed in ClawHub campaigns is “indirect prompt injection.” This method embeds hidden, malicious instructions within skill files that AI agents are designed to read and execute on behalf of users. Because OpenClaw agents operate autonomously based on these skill definitions, attackers can effectively transform them into unwitting intermediaries, significantly amplifying the attack’s reach beyond the initial victim.

Hugging Face Exploitation

Hugging Face, a platform hosting over one million machine learning models, has also been identified by Acronis TRU as a staging ground for multi-stage infection chains. Malicious repositories on the platform are hosting payloads targeting Windows, Linux, and Android systems. Two specific campaigns highlight this abuse:

ITHKRPAW Campaign

The ITHKRPAW campaign, which targeted Vietnamese financial sector organizations in January, employed a malicious LNK file. This file was used to invoke Cloudflare Workers, which then served a PowerShell dropper. The dropper retrieved its payload from a Hugging Face dataset repository while simultaneously opening a decoy cat image to conceal its malicious activity. Researchers assess with moderate confidence that the PowerShell script was likely generated by a Large Language Model (LLM), based on embedded Vietnamese-language comments.

FAKESECURITY Campaign

The FAKESECURITY campaign utilized a batch script, CDC1.bat, containing an encoded PowerShell blob. This blob downloaded a heavily obfuscated secondary batch script from a Hugging Face repository. After stripping the Mark-of-the-Web to bypass Windows SmartScreen, the malware injected shellcode into explorer.exe and subsequently dropped a file masquerading as Windows Security.

Payloads and Persistence

For Windows targets, the payloads were detected as trojans protected with VMProtect. A second Windows payload demonstrated sophisticated techniques, using a 30-byte XOR key for runtime string decryption, dynamically resolving NT APIs, and performing in-memory process injection into explorer.exe. The injected code then established AES-encrypted command-and-control (C2) communication over HTTPS to hxxps://velvet-parrot[.]com:443, downloaded a cryptominer disguised as svchost.exe, and maintained persistence through scheduled tasks and Windows Defender exclusion paths.

macOS systems were also targeted, with a base64-encoded command connecting to an external IP address (91.92.242[.]30) to silently download and execute AMOS Stealer. AMOS Stealer is a macOS-focused information stealer commonly sold as malware-as-a-service (MaaS) on Telegram and various underground forums.

What You Should Do

  • Treat AI Components as Untrusted: Organizations and developers must treat all AI models, datasets, and agent extensions as untrusted inputs, applying the same rigorous validation and security scrutiny as any other third-party code.
  • Audit OpenClaw Skills: Regularly audit all installed OpenClaw skills for any encoded commands, suspicious behaviors, or instructions that initiate external downloads.
  • Monitor for Process Injection: Implement robust endpoint detection and response (EDR) solutions to monitor for unexpected process injection, particularly into critical system processes like explorer.exe.
  • Block Malicious Indicators: Block known malicious indicators of compromise (IOCs) at the network perimeter, including the IP address 91.92.242[.]30 and the C2 domain velvet-parrot[.]com.
  • Restrict Defender Exclusions: Utilize Group Policy or other centralized management tools to restrict unauthorized modifications to Windows Defender exclusion paths, preventing malware from disabling security features.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Facial Recognition Bypass: Fake Moustache Tricks Age Verification

Next Post

ZiChatBot Malware Uses Zulip API for Command and Control

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
JetBrains Patches 6 Vulnerabilities in TeamCity, YouTrack, IntelliJ IDEA
July 16, 2026
WhatsApp GhostPairing Flaw Lets Attackers Hijack Accounts
July 16, 2026
Flipper Zero Add-On Detects Skimmers with Specter Tool
July 16, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us