A malicious dataset uploaded to Hugging Face carried two working exploits: a remote-code dataset loader and a template-injection bug in a dataset config file. Loading it ran code on a processing worker. From there an autonomous agent framework, not a human operator, took over: it escalated to node-level access, harvested cloud and cluster credentials, and moved laterally into several internal clusters over a weekend, executing thousands of individual actions across a swarm of short-lived sandboxes. Hugging Face disclosed this on July 16. It is one of the first times a major AI company has admitted an AI agent breached it end to end.
The fix for this isn’t observation after the fact, attribution, or fingerprinting model families. It’s preventing it from happening in the first place. It’s the use of natively ephemeral credentials. It’s ensuring that it doesn't matter which model shows up, because no model, known or unknown, benign or malicious, ever holds a credential that reaches a production cluster on its own. That's what zero-credential, on-behalf-of execution is built for: an agent gets scoped, time-boxed access brokered for the specific action it's taking. Not a standing key sitting on a worker node waiting for whomever compromises it next.
Hugging Face still doesn't know which model ran the attack. It could be a jailbroken hosted model, or an unrestricted open-weight one, they can't tell, and it really doesn’t matter. The fix - revoke the credentials, close the code-execution paths, and rebuild the compromised nodes - won’t change based on the answer. This isn't an attribution problem. It's a credential problem. Knowing which model broke you is never going to matter once the leash is snapped and production clusters are reached.
This is quite similar to JadePuffer in June: an agent didn't need to cleverly circumvent security, it just needed a standing credential to be exposed. Fun fact from Hugging Face's postmortem: their security team tried to analyze the attacker's 17,000-event action log using commercial frontier models, and the providers' safety guardrails blocked the requests, unable to tell a defender studying an attack from an attacker running one. They ended up running the analysis on an open-weight model on their own infrastructure instead.
Hugging Face rotated its credentials, rebuilt its nodes, and added stricter admission controls. Good moves, albeit a bit late. It’s likely the agents processing your datasets, running your workflows, touching your infrastructure right now are still running on the same kind of standing access that turned a dataset upload into a weekend-long lateral-movement campaign. NuDay's Policy Server enforces scoped, ephemeral, revocable access at the point of every tool call, so a compromised agent, of any origin, hits a wall instead of a credential. See how it works or request a demo.