575+ Malicious Artifacts Uncovered in AI Platform Supply Chain Attacks Targeting Hugging Face and OpenClaw

Security researchers have identified a systematic campaign to weaponize AI distribution platforms, embedding malware within models, datasets, and agent extensions hosted on Hugging Face and OpenClaw. The attack surface exploits trust relationships that developers and users place in these repositories, using indirect prompt injection techniques where hidden instructions compel AI agents to execute malicious actions on behalf of their operators. This represents a significant escalation in supply chain threats against the AI ecosystem, where the platform itself becomes the infection vector rather than a traditional software download.

The OpenClaw ecosystem alone harbored over 575 malicious skills distributed across 13 developer accounts, specifically engineered to target Windows and macOS systems. These trojanized skills masqueraded as legitimate productivity tools, embedding encoded commands, hidden malicious dependencies, and secondary payloads including cryptominers and the AMOS information stealer. On Hugging Face, repositories hosted multistep infection chains disguised as standard applications, employing layered obfuscation, encryption, in-memory execution, and process injection to evade detection. The campaigns relied heavily on social engineering, instructing users to execute commands that appeared routine but initiated silent compromise chains.

The implications extend beyond individual machine infections. By compromising widely-used models and datasets, threat actors position themselves to harvest credentials, computational resources, and proprietary data from the developer and enterprise users who rely on these platforms. Security teams are advised to audit dependencies imported from AI repositories, implement strict execution controls for AI agent actions, and monitor for the indicators of compromise associated with identified malware families. The convergence of trusted AI platforms and sophisticated supply chain tradecraft signals a new threat paradigm requiring coordinated defensive response.