Malware Distribution via Hugging Face and ClawHub

Threat actors are leveraging AI distribution platforms like Hugging Face and ClawHub to distribute malware. This involves social engineering tactics to deceive users into downloading files that contain malicious code. Instead of directly compromising AI agents, the attackers abuse user trust by injecting indirect prompts into resources that the AI accesses. Acronis reported that on ClawHub, nearly 600 malicious skills across 13 developer accounts were identified distributing trojans, cryptominers, and information stealers targeting both Windows and macOS. On Hugging Face, attackers created repositories hosting malicious files designed to stage multi-step infection chains leading to infostealers, trojans, malware loaders, and other types of malware targeting Windows, Linux, and Android. This tactic allows attackers to bypass traditional security measures and leverage the platforms’ reputation for trusted AI tooling.

Attack Chain

1. Attacker creates a malicious repository or skill on Hugging Face or ClawHub.
2. The repository or skill contains files that appear legitimate but include malicious code.
3. The attacker uses social engineering to entice users to download the files.
4. Upon execution, the malicious code fetches additional payloads from external sources.
5. For macOS, the payload can be Atomic macOS Stealer (AMOS) Stealer.
6. The downloaded payload executes commands to install hidden dependencies.
7. The malware establishes persistence on the victim’s system.
8. The malware performs its intended malicious actions, such as stealing information or mining cryptocurrency.

Impact

Successful attacks can lead to the installation of various types of malware, including infostealers, trojans, cryptominers, and malware loaders. The targeted platforms include Windows, macOS, Linux, and Android, potentially impacting a wide range of users and systems. The abuse of trust in AI distribution platforms poses a significant risk, as users may be less likely to scrutinize files from these sources. Acronis identified close to 600 malicious skills on ClawHub alone, indicating the scale of this threat.

Recommendation

• Monitor process creation events for execution of downloaded files from Hugging Face or ClawHub with unusual parent processes using the “Detect Suspicious Process Execution from AI Platforms” Sigma rule.
• Implement network monitoring to detect connections to known malicious domains or IPs associated with malware distribution campaigns that originate from processes associated with AI platform tooling.
• Educate users about the risks of downloading files from untrusted sources, even on trusted platforms like Hugging Face and ClawHub.
• Regularly scan systems for known malware signatures and indicators of compromise associated with infostealers and trojans.