Hackers Leveraged Hugging Face and ClawHub With 575+ Malicious Skills to Deploy Malware

HomeCyber Attack News Hackers Leveraged Hugging Face and ClawHub With 575+ Malicious Skills to Deploy Malware By Guru Baran May 8, 2026 An active malware distribution campaign abusing two prominent AI platforms, Hugging Face and ClawHub, to deliver trojans, cryptominers, and infostealers disguised as legitimate AI tools and agent extensions. The campaign marks a significant evolution in supply chain attacks, shifting from traditional software repositories to trusted AI ecosystems. Within the OpenClaw ecosystem distributed through ClawHub, Acronis TRU identified 575 malicious skills published across 13 developer accounts. The campaign appears to be primarily driven by two threat actors: “hightower6eu,” responsible for 334 malicious skills (58%), and “sakaen736jih,” responsible for 199 skills (34.6%), with the remaining 11 accounts contributing smaller volumes. These trojanized skills masquerade as useful tools such as a YouTube transcript summarizer while secretly instructing users to download password-protected archives or execute encoded commands. Hugging Face and ClawHub Leveraged For Windows targets, payloads were detected as trojans packed with VMProtect. For macOS, a base64-encoded command connects to an external IP (91.92.242[.]30) and silently downloads and executes AMOS Stealer, a macOS-focused infostealer commonly sold as malware-as-a-service (MaaS) through Telegram and underground forums. A second Windows payload used a 30-byte XOR key to decrypt strings at runtime, dynamically resolved NT APIs, and performed in-memory process injection into explorer.exe. The injected code established AES-encrypted C2 communication over HTTPS to hxxps://velvet-parrot[.]com:443, downloaded a cryptominer disguised as svchost.exe, and maintained persistence via scheduled tasks and Windows Defender exclusion paths. A critical technique observed across ClawHub campaigns is indirect prompt injection, which embeds hidden, malicious instructions within skill files that AI agents read and execute on behalf of users. Because OpenClaw agents are designed to act autonomously based on instructions in skill definitions, attackers can effectively turn these agents into unwitting intermediaries, expanding attack impact far beyond the initial victim. On Hugging Face, which hosts over one million machine learning models, Acronis TRU identified repositories serving as multi-stage infection chain staging points, hosting payloads across Windows, Linux, and Android. Two tracked campaigns illustrate this abuse in practice. The ITHKRPAW campaign, targeting Vietnamese financial sector organizations in January, used a malicious LNK file to invoke Cloudflare Workers, which served a PowerShell dropper that fetched a payload from a Hugging Face dataset repository while opening a decoy cat image to mask activity. Attack Chain (Source: Acronis) Researchers assess with moderate confidence that the PowerShell script was LLM-generated, based on embedded Vietnamese-language comments. The FAKESECURITY campaign used a batch script (CDC1.bat) containing an encoded PowerShell blob that downloaded a heavily obfuscated secondary batch script from a Hugging Face repository. After stripping the Mark-of-the-Web to bypass Windows SmartScreen, the malware injected shellcode into explorer.exe and dropped a file masquerading as Windows Security. Organizations and developers should treat AI models, datasets, and agent extensions as untrusted inputs requiring the same validation applied to any third-party code. Specific steps include auditing installed OpenClaw skills for encoded commands or external download instructions, monitoring for unexpected process injection into explorer.exe, blocking known malicious indicators (91.92.242[.]30, velvet-parrot[.]com), and restricting Windows Defender exclusion path modifications via Group Policy. Cybercriminals now enter through your suppliers instead of your front door – Free Webinar Tags cyber security cyber security news malware Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Darkhub Hacking-for-Hire Portal Advertises Crypto Fraud, Message Interception, and Monitoring Attackers Weaponize SAP npm Packages to Steal GitHub, Cloud, and AI Coding Tool Secrets New Cisco Network Vulnerability Let Remote Attacker Cause DoS Attack Attackers Deploy AiTM Phishing Pages to Access SharePoint, HubSpot, and Google Workspace Vimeo Data Breach Exposes 119,000 Users Unique Email Addresses Latest News Cyber Security News NVIDIA Data Breach Reportedly Exposes Personal Information of GeForce Users Cyber Security Let’s Encrypt Halts Certificate Issuance After Cross-Signed Root Certificate Incident Cyber Security Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information Cyber Security News New PamDOORa Backdoor Attacking Linux Systems to Steal SSH Credentials Cyber Security News Hackers Deploy Modular RAT With Credential Theft and Screenshot Capture Capabilities