Acronis identified nearly 600 malicious skills on ClawHub and multiple malware-laced repositories on Hugging Face exploiting trust in AI distribution platforms.
Threat actors are using trojanized shared files to distribute malware through AI distribution platforms including Hugging Face and ClawHub, according to a new report from Acronis. The attacks do not compromise AI agents themselves but rely on social engineering and indirect prompt injection to trick users and AI systems into downloading files containing malicious code designed to execute commands, fetch payloads, and install hidden dependencies.
On ClawHub, Acronis identified close to 600 malicious skills across 13 developer accounts, with two accounts (hightower6eu with 334 skills and sakaen736jih with 199) accounting for most of the malicious content. The trojanized skills distributed trojans, cryptominers, and information stealers targeting both Windows and macOS systems. By injecting indirect prompts into resources that AI agents read, attackers instruct the agents to download and execute code on users’ machines. One identified macOS payload was the Atomic macOS Stealer (AMOS).
Across two campaigns abusing Hugging Face, attackers created repositories hosting malicious files designed to stage multi-step infection chains leading to infostealers, trojans, malware loaders, and payloads targeting Windows, Linux, and Android. Acronis notes that accurately measuring the full extent is difficult due to the platform’s scale and the dynamic nature of hosted content, and the true scale is likely higher than what has been discovered so far.
This marks a shift from threat actors distributing payloads through traditional vectors like malvertising toward poisoning trusted AI distribution channels. Organizations using AI agent platforms should implement strict supply chain validation and monitor for suspicious skills or repositories from unknown developers.
Source: SecurityWeek — Hugging Face and ClawHub Abused for Malware Distribution via Trojanize
