Security incident disclosure — July 2026

Security incident disclosure — July 2026

安全事件披露 — 2026年7月

Earlier this week, we detected and responded to an intrusion into part of our production infrastructure. This one was different from anything we had handled before in one important way: it was driven, end to end, by an autonomous AI agent system - and we detected and dissected it largely with AI of our own. 本周早些时候,我们检测并应对了一起针对我们部分生产基础设施的入侵事件。这次事件与我们以往处理过的任何情况都有一个重要的不同点:它是完全由自主 AI 智能体系统驱动的——而我们主要依靠自己的 AI 系统对其进行了检测和剖析。

We identified unauthorized access to a limited set of internal datasets and to several credentials used by our services. We are still completing our assessment of whether any partner or customer data was affected, and we will contact any affected parties directly as required. We have found no evidence of tampering with public, user-facing models, datasets, or Spaces, and our software supply chain (container images and published packages) was verified clean. 我们确认了对有限的一组内部数据集以及我们服务所使用的若干凭据的未经授权访问。我们仍在评估是否有任何合作伙伴或客户数据受到影响,并将根据需要直接联系受影响方。我们没有发现任何针对面向公众的用户模型、数据集或 Spaces 被篡改的证据,我们的软件供应链(容器镜像和已发布包)也已验证为安全。

What happened

事件经过

The intrusion started where AI platforms are uniquely exposed: the data-processing pipeline. A malicious dataset abused two code-execution paths in our dataset processing (a remote-code dataset loader and a template-injection in a dataset configuration) to run code on a processing worker. From there, the actor escalated to node-level access, harvested cloud and cluster credentials, and moved laterally into several internal clusters over a weekend. 入侵始于 AI 平台特有的暴露点:数据处理流水线。一个恶意数据集利用了我们数据集处理过程中的两个代码执行路径(远程代码数据集加载器和数据集配置中的模板注入),在处理工作节点上运行了代码。随后,攻击者升级至节点级访问权限,窃取了云和集群凭据,并在周末期间横向移动到了多个内部集群。

The campaign was run by an autonomous agent framework (appearing to be built on an agentic security-research harness - used LLM still not known) executing many thousands of individual actions across a swarm of short-lived sandboxes, with self-migrating command-and-control staged on public services. This matches the “agentic attacker” scenario the industry has been forecasting. 此次行动由一个自主智能体框架驱动(看起来是基于某种智能体安全研究工具构建的,所使用的 LLM 尚不明确),该框架在大量短生命周期的沙箱中执行了数千次独立操作,并利用公共服务部署了可自我迁移的命令与控制(C2)服务器。这与业界一直预测的“智能体攻击者”场景相吻合。

What we did

我们的应对措施

Fixed the root vulnerability: the dataset code-execution paths used for initial access are closed. Eradicated the attacker’s foothold across the affected clusters and rebuilt the compromised nodes. Revoked and rotated the affected credentials and tokens, and began a broader precautionary rotation of secrets. Deployed additional guardrails and stricter admission controls on our clusters. Improved our detection and alerting so a high-severity signal pages a responder in minutes, any day of the week. We are working with outside cybersecurity forensic specialists to investigate the issue and review our security policies and procedures. Finally, we have also reported this incident to law enforcement agencies. 修复了根本漏洞:用于初始访问的数据集代码执行路径已被关闭。清除了攻击者在受影响集群中的立足点,并重建了受损节点。撤销并轮换了受影响的凭据和令牌,并开始进行更广泛的预防性密钥轮换。在我们的集群上部署了额外的护栏和更严格的准入控制。改进了检测和警报机制,确保高严重性信号能在几分钟内通知到响应人员,无论何时。我们正与外部网络安全取证专家合作调查此事,并审查我们的安全策略和流程。最后,我们已向执法部门报告了此事件。

For our community

致社区

As a precaution, we recommend rotating any access tokens and reviewing recent activity on your account. If you believe you are affected, or want to report a security concern, contact us at security@huggingface.co. We are grateful to the teams across Hugging Face who responded around the clock, and we are sorry for any disruption this caused. Security is never finished; we will keep raising the bar. 作为预防措施,我们建议您轮换访问令牌并检查账户的近期活动。如果您认为自己受到了影响,或希望报告安全问题,请通过 security@huggingface.co 联系我们。我们感谢 Hugging Face 各团队全天候的响应,并对由此造成的任何干扰深表歉意。安全工作永无止境;我们将继续提高标准。

Analyzing an AI-driven intrusion

分析 AI 驱动的入侵

The attack was initially surfaced through AI-assisted detection. Our anomaly-detection pipeline uses LLM-based triage over security telemetry to separate real signals from the daily noise, and it was the correlation of those signals that flagged the compromise. To understand what a swarm of tens of thousands of automated actions did, we ran LLM-driven analysis agents over the full attacker action log, comprised of more than 17,000 recorded events. This allowed us to reconstruct the timeline, extract indicators of compromise, map the credentials touched, and separate genuine impact from decoy activity. Thanks to this approach, we were able to do in hours what would usually take days, and match the adversary’s speed. 此次攻击最初是通过 AI 辅助检测发现的。我们的异常检测流水线利用基于 LLM 的分类技术对安全遥测数据进行处理,将真实信号从日常噪声中分离出来,正是这些信号的相关性标记了此次入侵。为了理解数以万计的自动化操作行为,我们对包含超过 17,000 条记录事件的完整攻击者操作日志运行了 LLM 驱动的分析智能体。这使我们能够重建时间线、提取入侵指标、映射被触及的凭据,并将真实影响与诱饵活动区分开来。得益于这种方法,我们能够在几小时内完成通常需要几天的工作,并跟上对手的速度。

The asymmetry problem

不对称问题

When we started the log analysis, we first used frontier models behind commercial APIs. This did not work: the analysis requires submitting large volumes of real attack commands, exploit payloads, and C2 artifacts, and these requests were blocked by the providers’ safety guardrails, which cannot distinguish an incident responder from an attacker. We ran the forensic analysis instead on GLM 5.2, an open-weight model, on our own infrastructure. This had a second benefit: no attacker data, and none of the credentials it referenced, left our environment. 当我们开始日志分析时,最初使用了商业 API 后端的尖端模型。但这行不通:分析需要提交大量真实的攻击命令、漏洞利用载荷和 C2 工件,而这些请求被提供商的安全护栏拦截了,因为它们无法区分事件响应者和攻击者。因此,我们在自己的基础设施上使用开源权重模型 GLM 5.2 进行了取证分析。这带来了第二个好处:没有任何攻击者数据及其引用的凭据离开我们的环境。

This experience points to a gap worth planning for. We do not know which model powered the attacker’s agents, whether a jailbroken hosted model or an unrestricted open-weight one; either way, the attacker was bound by no usage policy, while our own forensic work was blocked by the guardrails of the hosted models we first tried. The practical lesson for defenders: have a capable model you can run on your own infrastructure vetted and ready before an incident, both to avoid guardrail lockout and to keep attacker data and credentials from leaving your environment. 这一经历指出了一个值得规划的差距。我们不知道是什么模型驱动了攻击者的智能体,是越狱后的托管模型还是不受限制的开源权重模型;无论哪种情况,攻击者都不受任何使用政策的约束,而我们自己的取证工作却被最初尝试的托管模型的护栏所阻挡。给防御者的实际教训是:在事件发生前,准备好一个可以在您自己的基础设施上运行且经过验证的强大模型,既能避免被护栏锁定,又能防止攻击者数据和凭据离开您的环境。

What this means

这意味着什么

Autonomous, AI-driven offensive tooling is no longer theoretical. It lowers the cost of running a broad, patient, multi-stage campaign, and it operates at machine speed. Defending an online platform now means treating the data and model surface as a first-class attack surface, and using AI on defense to keep pace. We will keep investing there, and keep sharing what we learn. 自主的、AI 驱动的攻击工具已不再是理论。它降低了执行广泛、耐心、多阶段攻击活动的成本,并以机器速度运行。防御在线平台现在意味着将数据和模型层面视为一流的攻击面,并利用 AI 进行防御以保持同步。我们将继续在此领域投入,并持续分享我们的经验。