Security incident disclosure - July 2026
We're on a journey to advance and democratize artificial intelligence through open source and open science. Back to Articles a]:hidden"> Security incident disclosure - July 2026 Published July 16, 2026 Update on GitHub Upvote 37 +31 system system Follow Earlier this week, we detected and responded to an intrusion into part of our production infrastructure. This one was different from anything we had handled before in one important way: it was driven, end to end, by an autonomous AI agent system - and we detected and dissected it largely with AI of our own.
Key Takeaways
- We identified unauthorized access to a limited set of internal datasets and to several credentials used by our services.
We are still completing our assessment of whether any partner or customer data was affected, and we will contact any affected parties directly as required.
- The campaign was run by an autonomous agent framework (appearing to be built on an agentic security-research harness - used LLM still not known) executing many thousands of individual actions across a swarm of short-lived sandboxes, with self-migrating command-and-control staged on public services.
This matches the "agentic attacker" scenario the industry has been forecasting.
- Improved our detection and alerting so a high-severity signal pages a responder in minutes, any day of the week.
We are working with outside cybersecurity forensic specialists to investigate the issue and review our security policies and procedures.
- Security is never finished; we will keep raising the bar.
Analyzing an AI-driven intrusion The attack was initially surfaced through AI-assisted detection.
- The choice of models we could use for this analysis was constrained in a way we did not anticipate; we describe this below.
We identified unauthorized access to a limited set of internal datasets and to several credentials used by our services. We are still completing our assessment of whether any partner or customer data was affected, and we will contact any affected parties directly as required. We have found no evidence of tampering with public, user-facing models, datasets, or Spaces, and our software supply chain (container images and published packages) was verified clean.
What happened The intrusion started where AI platforms are uniquely exposed: the data-processing pipeline. A malicious dataset abused two code-execution paths in our dataset processing (a remote-code dataset loader and a template-injection in a dataset configuration) to run code on a processing worker. From there, the actor escalated to node-level access, harvested cloud and cluster credentials, and moved laterally into several internal clusters over a weekend.
The campaign was run by an autonomous agent framework (appearing to be built on an agentic security-research harness - used LLM still not known) executing many thousands of individual actions across a swarm of short-lived sandboxes, with self-migrating command-and-control staged on public services. This matches the "agentic attacker" scenario the industry has been forecasting. What we did Fixed the root vulnerability: the dataset code-execution paths used for initial access are closed.
For more details please read the original article at Hugging Face.
Continue Learning
Comments
Sign in to join the conversation