What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

The Poisoned Model Registry: How Hugging Face Became the AI Era's Most Dangerous Software Distribution Channel

← AI-Security

0 sources verified·11 min read

By Lyrie AI Cyber Research Division·5/11/2026

TL;DR

The AI model supply chain is experiencing a systemic security collapse. Within a single rolling 60-day window in 2026, researchers have documented: a fake OpenAI repository on Hugging Face that reached #1 trending and accumulated 244,000 downloads before delivering a Rust-based infostealer; a critical unpatched RCE in Hugging Face's own robotics framework (CVE-2026-25874, CVSS 9.3) exploitable by any unauthenticated attacker on the network; a technique called NullifAI that uses archive-format tricks to slip malicious pickle payloads past Hugging Face's own malware scanner; and a SQL injection zero-day in LiteLLM (CVE-2026-42208) exploited within 36 hours of disclosure to exfiltrate AI API keys with five-figure monthly spend caps. The picture is not one of isolated incidents — it is a category-defining trust failure in the infrastructure layer that now underpins most enterprise AI deployments.

Background: Why AI Model Registries Are the New Package Repositories

For two decades, the software security community fought an asymmetric war against malicious packages on PyPI, npm, RubyGems, and Maven. The lesson — that open, low-friction distribution creates a high-value attack surface — was learned slowly and painfully, one poisoned dependency at a time.

The AI community is about to learn the same lesson at speed.

Hugging Face now hosts over 1.2 million AI models as of early 2026. The platform's frictionless model-sharing ethos — anyone can upload, anyone can download — mirrors exactly the conditions that made PyPI a threat vector. The difference is the blast radius. When a malicious npm package executes code, it typically runs in a Node.js process. When a malicious AI model executes code during loading, it often does so on a GPU-backed inference server running with elevated privileges, connected to internal model stores, proprietary datasets, and cloud API key vaults whose credentials represent six-figure compute budgets.

The threat is not theoretical. It is active, it is escalating, and the defenses are lagging by months to years.

Technical Analysis

Vector 1: The NullifAI Pickle Bomb

The fundamental vulnerability in the AI model ecosystem is Python's pickle serialization format. Pickle is the standard method for packaging machine learning model weights — torch.load(), pickle.load(), and joblib.load() are in the first ten lines of virtually every model inference script ever written. The problem is architectural: pickle deserialization executes arbitrary Python bytecode. There is no sandbox. There is no safe subset. Loading a model file is executing code.

Approximately 80% of models on Hugging Face use pickle serialization according to Protect AI's ongoing scanner results. When Protect AI and its partners examined the platform's model library at scale, they identified approximately 352,000 unsafe or suspicious issues across 51,700 models. JFrog's security team separately found more than 100 models capable of direct arbitrary code execution — models that would immediately spawn a reverse shell, download a second-stage payload, or exfiltrate environment variables the moment an engineer typed model = torch.load("model.bin").

The NullifAI technique adds a bypass layer on top of this. Discovered in active campaigns and later analyzed by ReversingLabs, NullifAI exploits the fact that Hugging Face's own malware scanner relies on Python's torch.load() to inspect model files for malicious pickle opcodes. NullifAI-armed models swap the standard ZIP container format for 7z compression. When torch.load() encounters the 7z-compressed file, it fails with a format error and returns without scanning. The scanner reports the model clean. The malicious payload — a pickle opcode chain hidden inside the model weights — is never inspected.

The attacker's perspective is elegant: host a model with realistic weights and a plausible card description, use 7z packaging, embed a reverse shell in the pickle stream, and wait for researchers or engineers to pull the model and call torch.load(). Hugging Face's own scanner gives it a clean bill of health.

Vector 2: The Trending Fake — Open-OSS/privacy-filter

The most visible incident from the past week demonstrates that the attacker playbook has matured well beyond subtle pickle tricks. Discovered on May 7, 2026 by HiddenLayer researchers, a malicious repository named Open-OSS/privacy-filter used a multi-layer deception to reach #1 on Hugging Face's trending list and accumulate approximately 244,000 downloads (though investigators note the download count may have been artificially inflated by automation).

The repository typosquatted OpenAI's legitimate "Privacy Filter" project, copying the model card nearly verbatim. The actual payload mechanism avoided pickle entirely — attackers appear to have recognized that even imperfect scanning raises friction. Instead, the malicious loader.py script:

1. Appeared legitimate — included real-looking AI inference code referencing model weights and tokenizers

2. Disabled SSL certificate verification silently

3. Decoded a base64-encoded URL pointing to an external C2 resource

4. Fetched a JSON payload containing an embedded PowerShell command

5. Executed the PowerShell command in an invisible window using subprocess.Popen with CREATE_NO_WINDOW

6. Downloaded start.bat — a batch script that performs privilege escalation via scheduled task hijacking

7. Downloaded the final payload, sefirah — a Rust-based infostealer — and added it to Microsoft Defender's exclusion list before execution

The sefirah infostealer's target list is comprehensive: Chromium and Gecko browser credential stores, Discord tokens and master keys, cryptocurrency wallets and browser wallet extensions, SSH/FTP/VPN configuration files, sensitive local documents, and multi-monitor screenshots. All data is compressed and exfiltrated to recargapopular[.]com.

HiddenLayer's investigation found overlap with an npm typosquatting campaign distributing the WinOS 4.0 implant, suggesting a threat actor with a multi-ecosystem, multi-tool malware distribution operation.

Vector 3: CVE-2026-25874 — Unauthenticated RCE in Hugging Face LeRobot

If user-downloaded models represent a supply chain risk, CVE-2026-25874 represents something worse: a pre-auth RCE in Hugging Face's own software that can compromise the servers running models without any user interaction at all.

LeRobot is Hugging Face's open-source robotics platform, currently carrying nearly 24,000 GitHub stars and increasingly deployed in industrial automation and research environments. The vulnerability, discovered independently by VulnCheck researcher Valentin Lobstein and an earlier researcher going by "chenpinji" (who reported it in December 2025), lies in the async inference pipeline.

The async PolicyServer and robot client components use pickle.loads() to deserialize data received over unauthenticated gRPC channels without TLS. There is no authentication, no authorization check, and no input validation before the pickle payload is deserialized and executed.

Attack path:

Attacker → Network → PolicyServer gRPC port (unauthenticated)
→ SendPolicyInstructions / SendObservations / GetActions RPC
→ Crafted pickle payload → pickle.loads()
→ Arbitrary OS command execution as the server process user

The CVSS score of 9.3 reflects the severity: network-adjacent, no authentication, no user interaction, high-impact on confidentiality, integrity, and availability. The blast radius on a typical inference deployment is significant: GPU-backed servers running with elevated privileges to access model stores, cloud API credentials mounted as environment variables, and internal network access to training data and proprietary datasets.

The issue was acknowledged by the LeRobot team in January 2026 after chenpinji's disclosure. The response was that "that part of the codebase needs to be almost entirely refactored as its original implementation was more experimental." A fix is planned for version 0.6.0. As of this writing, the vulnerability remains unpatched in all currently released versions, including the most recent 0.4.3.

Vector 4: LiteLLM CVE-2026-42208 — The API Key Aggregator Attack

The final vector in this landscape is the compromise of the middleware layer that sits between enterprise applications and AI providers. LiteLLM is the dominant open-source proxy and gateway for routing requests across 100+ LLM APIs — it is, effectively, the API key vault for enterprises running multi-model AI workflows.

CVE-2026-42208 is a pre-authentication SQL injection in LiteLLM's authentication path. Sysdig researchers described the blast radius:

"A single litellm_credentials row often holds an OpenAI organization key with five-figure monthly spend caps, an Anthropic console key with workspace admin rights, and an AWS Bedrock IAM credential. The blast radius of a successful database extraction is closer to a cloud-account compromise than a typical web-app SQL injection."

Active exploitation was observed within 36 hours of public disclosure — faster than most organizations can assess, prioritize, and schedule a patch. Separately, in March 2026, a PyPI compromise of the LiteLLM package itself potentially exposed 500,000 credentials including API keys for Meta, OpenAI, and Anthropic.

IOCs

| Indicator | Type | Context |

|---|---|---|

| recargapopular[.]com | C2 Domain | Sefirah infostealer exfiltration (Open-OSS/privacy-filter) |

| Open-OSS/privacy-filter | Malicious HF Repo | Now removed; loader.py infostealer dropper |

| loader.py with base64 + CREATE_NO_WINDOW subprocess | Behavioral | Model loader pattern for this campaign |

| start.bat + sefirah binary | Malware Components | Stage 2+3 of the chain |

| CVE-2026-25874 | CVE | LeRobot pickle deserialization RCE, CVSS 9.3, unpatched |

| CVE-2026-42208 | CVE | LiteLLM pre-auth SQL injection, actively exploited |

| 7z-compressed .bin model files on HuggingFace | Behavioral IOC | NullifAI scanner bypass indicator |

| PowerShell with -WindowStyle Hidden + base64-decoded URL in model loader | Behavioral | Infostealer dropper pattern |

Lyrie Take

The AI model supply chain is approximately 5–7 years behind the maturity curve that npm and PyPI reached after their own poisoning epidemics. The same structural conditions that made those registries dangerous are present in Hugging Face at greater scale and with higher-value targets: low upload friction, trust-by-download-count, no mandatory code review, and an ecosystem that expects pip install or torch.load() to be safe by default.

Three factors make the AI context worse than historical package manager attacks:

1. The execution context is privileged by default. Production AI inference doesn't run in a container as nobody:nobody. It runs on GPU servers with cloud IAM credentials, model weight access, and often direct database connections. A malicious model isn't a reverse shell in your CI pipeline — it's a reverse shell on your most privileged compute.

2. The trust signal is inverted. Downloads, stars, and trending position are the primary trust signals on Hugging Face. The Open-OSS/privacy-filter campaign weaponized all three. High download counts were artificially inflated; the trending position was real. Engineers evaluating a model don't have the equivalent of pip audit or a dependency graph vulnerability scanner — they have a model card and a download number.

3. The scanner bypass is already codified. NullifAI isn't a novel research finding being slowly operationalized. It's an active campaign technique that has been documented, analyzed, and by now almost certainly incorporated into multiple threat actors' toolkits. The scanner that Hugging Face deploys is bypassed by a packaging format change. That's not a hard fix; it's a solved problem — but it requires Hugging Face to redesign its scanner pipeline to handle arbitrary archive formats before inspecting pickle content.

The CVE-2026-25874 situation — a CVSS 9.3 unpatched for months, with the fix not yet shipped — mirrors the pattern seen in critical infrastructure vulnerabilities where the team acknowledges severity but is paralyzed by refactoring scope. In the AI context, this is particularly dangerous because LeRobot deployments increasingly exist in industrial settings where the PolicyServer isn't just a research tool but a component controlling physical actuators.

Defender Playbook

Immediate (0–48 hours):

[ ] Audit all Hugging Face model downloads in your ML environment from the past 90 days. Cross-reference against Protect AI's scanner results or run modelscan (Protect AI's open-source tool) against cached model files.
[ ] Check for loader.py files in any model repository directories; any such file with base64-encoded strings, CREATE_NO_WINDOW subprocess calls, or ssl._create_unverified_context() is high-confidence malicious.
[ ] If running LeRobot: isolate the PolicyServer immediately — firewall gRPC port from all unauthenticated network access, or disable async inference until CVE-2026-25874 is patched in v0.6.0.
[ ] Rotate all API keys stored in LiteLLM credential tables. If running LiteLLM Proxy, apply the CVE-2026-42208 patch or restrict database network access to localhost only.

Short-term (1–2 weeks):

[ ] Implement a model provenance policy: only load models from organizational mirrors where each upload has been scanned with modelscan and inspected for NullifAI patterns (7z containers, embedded executable opcodes in .bin files).
[ ] Add safetensors format as a mandatory standard for your internal model registry. safetensors does not execute code on deserialization — it is a purely data-format approach that eliminates pickle RCE by design. Where models must use pickle (legacy torch.save() outputs), load them in an isolated subprocess or container with no credentials.
[ ] Deploy network egress monitoring on all inference servers. Infostealer behavior (screenshot capture → compression → HTTP POST to external IP) is detectable at the network layer even when EDR misses it.
[ ] Subscribe to Hugging Face security advisories and integrate HiddenLayer or Protect AI's model security scanner into your MLOps CI/CD pipeline.

Strategic (1–3 months):

[ ] Treat model files as executable code in your supply chain security policy — the same SBOM requirements, provenance attestation, and vulnerability scanning you apply to Docker images should apply to .bin and .pt files.
[ ] Evaluate your LiteLLM deployment: consider dedicated secrets management (HashiCorp Vault, AWS Secrets Manager) for AI API keys rather than database-stored credentials, reducing blast radius from SQL injection.
[ ] For LeRobot and any robotics/physical automation deployments: establish a written security posture review cadence. The December 2025 → May 2026 gap between disclosure and the planned fix is unacceptable for any system with physical safety implications.

Sources

1. HiddenLayer — "Malware Found in Trending Hugging Face Repository: Open-OSS/privacy-filter" (May 2026): https://www.hiddenlayer.com/insight/malware-found-in-trending-hugging-face-repository-open-oss-privacy-filter

2. BleepingComputer — "Fake OpenAI repository on Hugging Face pushes infostealer malware" (May 9, 2026): https://www.bleepingcomputer.com/news/security/fake-openai-repository-on-hugging-face-pushes-infostealer-malware/

3. The Hacker News — "Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE" (CVE-2026-25874): https://thehackernews.com/2026/04/critical-cve-2026-25874-leaves-hugging.html

4. Resecurity — "CVE-2026-25874: Hugging Face LeRobot Unauthenticated RCE via Pickle Deserialization": https://www.resecurity.com/blog/article/cve-2026-25874-hugging-face-lerobot-unauthenticated-rce-via-pickle-deserialization

5. VulnCheck Advisory — LeRobot Unsafe Deserialization: https://www.vulncheck.com/advisories/lerobot-unsafe-deserialization-remote-code-execution-via-grpc

6. The Hacker News / Sysdig — "LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure": https://thehackernews.com/2026/04/litellm-cve-2026-42208-sql-injection.html

7. The Next Web — "Hugging Face and ClawHub compromised with hundreds of malicious AI models" (May 2026): https://thenextweb.com/news/hugging-face-clawhub-malware-ai-supply-chain

8. BeyondScale — "Open Source AI Model Security: Vetting Hugging Face Downloads": https://beyondscale.tech/blog/open-source-ai-model-security-hugging-face

9. Protect AI / Hugging Face Scanner Project — 4M+ models scanned, 352K issues identified (2026)

10. JFrog Security — NullifAI pickle bypass technique analysis (2026)

Lyrie.ai Cyber Research Division — Senior Analyst Desk