Hugging Face, Clawpack Vulnerabilities Let Attackers Deploy Malware
Key Takeaways An active malware campaign is exploiting prominent AI platforms, Hugging Face and ClawHub, to distribute trojans, cryptominers, and infostealers. The attacks represent a shift in supply...
Key Takeaways
- An active malware campaign is exploiting prominent AI platforms, Hugging Face and ClawHub, to distribute trojans, cryptominers, and infostealers.
- The attacks represent a shift in supply chain vulnerabilities, targeting trusted AI ecosystems rather than traditional software repositories.
- Threat actors are leveraging techniques like indirect prompt injection in ClawHub and multi-stage infection chains via Hugging Face repositories.
- Both Windows and macOS systems are targeted, with payloads including AMOS Stealer and cryptominers.
- Defenders must treat AI models and extensions as untrusted inputs and implement robust validation and monitoring.
A sophisticated malware distribution campaign is actively exploiting the trusted environments of leading AI platforms, Hugging Face and ClawHub, to deploy a range of malicious payloads. These include trojans, cryptominers, and information stealers, all disguised as legitimate AI tools and agent extensions.
Table Of Content
This campaign signifies a critical evolution in supply chain attacks, moving beyond conventional software repositories to infiltrate the increasingly vital and trusted AI ecosystems.
ClawHub Ecosystem Under Attack
Within the OpenClaw ecosystem, which is distributed via ClawHub, researchers at Acronis TRU have uncovered 575 malicious “skills” published across 13 distinct developer accounts. These skills are trojanized applications designed to appear useful, such as a YouTube transcript summarizer, while secretly instructing users to download password-protected archives or execute encoded commands.
The campaign within ClawHub appears to be predominantly driven by two distinct threat actors: “hightower6eu,” responsible for an alarming 334 malicious skills (58% of the total), and “sakaen736jih,” linked to 199 skills (34.6%). The remaining 11 accounts contributed smaller volumes of malicious content.
A critical technique observed in ClawHub campaigns is “indirect prompt injection.” This method embeds hidden, malicious instructions within skill files that AI agents are designed to read and execute on behalf of users. Because OpenClaw agents operate autonomously based on these skill definitions, attackers can effectively transform them into unwitting intermediaries, significantly amplifying the attack’s reach beyond the initial victim.
Hugging Face Exploitation
Hugging Face, a platform hosting over one million machine learning models, has also been identified by Acronis TRU as a staging ground for multi-stage infection chains. Malicious repositories on the platform are hosting payloads targeting Windows, Linux, and Android systems. Two specific campaigns highlight this abuse:
ITHKRPAW Campaign
The ITHKRPAW campaign, which targeted Vietnamese financial sector organizations in January, employed a malicious LNK file. This file was used to invoke Cloudflare Workers, which then served a PowerShell dropper. The dropper retrieved its payload from a Hugging Face dataset repository while simultaneously opening a decoy cat image to conceal its malicious activity. Researchers assess with moderate confidence that the PowerShell script was likely generated by a Large Language Model (LLM), based on embedded Vietnamese-language comments.
FAKESECURITY Campaign
The FAKESECURITY campaign utilized a batch script, CDC1.bat, containing an encoded PowerShell blob. This blob downloaded a heavily obfuscated secondary batch script from a Hugging Face repository. After stripping the Mark-of-the-Web to bypass Windows SmartScreen, the malware injected shellcode into explorer.exe and subsequently dropped a file masquerading as Windows Security.
Payloads and Persistence
For Windows targets, the payloads were detected as trojans protected with VMProtect. A second Windows payload demonstrated sophisticated techniques, using a 30-byte XOR key for runtime string decryption, dynamically resolving NT APIs, and performing in-memory process injection into explorer.exe. The injected code then established AES-encrypted command-and-control (C2) communication over HTTPS to hxxps://velvet-parrot[.]com:443, downloaded a cryptominer disguised as svchost.exe, and maintained persistence through scheduled tasks and Windows Defender exclusion paths.
macOS systems were also targeted, with a base64-encoded command connecting to an external IP address (91.92.242[.]30) to silently download and execute AMOS Stealer. AMOS Stealer is a macOS-focused information stealer commonly sold as malware-as-a-service (MaaS) on Telegram and various underground forums.
What You Should Do
- Treat AI Components as Untrusted: Organizations and developers must treat all AI models, datasets, and agent extensions as untrusted inputs, applying the same rigorous validation and security scrutiny as any other third-party code.
- Audit OpenClaw Skills: Regularly audit all installed OpenClaw skills for any encoded commands, suspicious behaviors, or instructions that initiate external downloads.
- Monitor for Process Injection: Implement robust endpoint detection and response (EDR) solutions to monitor for unexpected process injection, particularly into critical system processes like explorer.exe.
- Block Malicious Indicators: Block known malicious indicators of compromise (IOCs) at the network perimeter, including the IP address 91.92.242[.]30 and the C2 domain velvet-parrot[.]com.
- Restrict Defender Exclusions: Utilize Group Policy or other centralized management tools to restrict unauthorized modifications to Windows Defender exclusion paths, preventing malware from disabling security features.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.