Security incident disclosure — July 2026
Hugging Face Blog 15 hours ago
Hugging Face detected and contained an intrusion driven entirely by an autonomous AI agent system that exploited vulnerabilities in their dataset processing pipeline to gain access to internal credentials and datasets. The attacker executed over 17,000 individual actions across multiple compromised clusters over a weekend before being detected and eradicated. The company has closed the exploited code-execution paths, rotated credentials, and now plans to maintain on-premise AI models for forensic analysis during future incidents, particularly to avoid safety guardrails that block analysis of real attack data.