Threat actors are using trojanized shared files to distribute malware via AI distribution platforms such as Hugging Face and ClawHub, Acronis reports.
The attacks do not compromise AI agents, but rely on social engineering to trick users into downloading files containing malicious code designed to execute commands, fetch payloads, and install hidden dependencies.
The same as other AI distribution platforms, both Hugging Face and ClawHub allow developers to easily share code, and threat actors are abusing users’ trust in them for nefarious purposes.
“A key aspect of this activity is the abuse of trust between users, AI agents and external resources. Through techniques such as indirect prompt injection, attackers embed hidden instructions that can be executed by AI systems without user awareness,” Acronis explains.
On ClawHub, the company identified close to 600 malicious skills across 13 developer accounts designed to distribute trojans, cryptominers, and information stealers targeting both Windows and macOS systems.
Two of the identified developer accounts contained most of the malicious skills: hightower6eu had 334, and sakaen736jih had 199, Acronis says.
In the OpenClaw ecosystem, skills are community-built extensions that allow users to expand their agents’ capabilities. This modular architecture also means that the AI can execute external code with high privileges.
By injecting indirect prompts into resources that the AI reads, the attackers instruct the agents to download and execute code on users’ machines, leading to malware infections. One of the identified payloads targeting macOS users is the infamous Atomic macOS Stealer (AMOS) Stealer.
“It appears that threat actors distributing payloads through traditional vectors such as malvertisement are increasingly shifting toward poisoning trusted distribution channels. In particular, AI-related platform ecosystems such as ClawHub are being abused to deliver payloads while leveraging user trust in legitimate-looking AI tooling,” Acronis says.
Across two distribution campaigns abusing Hugging Face, the attackers created repositories hosting malicious files and designed to stage multi-step infection chains leading to infostealers, trojans, malware loaders, and other types of malware targeting Windows, Linux, and Android.
According to Acronis, other campaigns may also abuse the platform for similar purposes, as threat actors take advantage of Hugging Face’s increased popularity and rapid expansion.
“Accurately measuring the full extent is difficult because of the platform’s scale and the dynamic nature of hosted content. The true scale of this activity is likely higher but requires further and deeper investigation,” Acronis notes.
Related: Chinese Cybersecurity Firm’s AI Hacking Claims Draw Comparisons to Claude Mythos
Related: Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw
Related: Hugging Face Abused to Deploy Android RAT
Related: Dozens of Open VSX Extension Clones Linked to GlassWorm Malware
