Image: Screenshot via Hugging Face Homepage
Attackers exploited Hugging Face’s trusted infrastructure to spread an Android RAT, using fake security apps and thousands of malware variants.
Hugging Face is widely used by researchers and developers to host machine learning models, datasets, and tools. But researchers say attackers have found a way to exploit that trust.
Cybersecurity researchers at Bitdefender have uncovered a massive campaign in which attackers are using Hugging Face’s trusted infrastructure to host and spread a malicious Android Remote Access Trojan (RAT). By hiding their malicious code on a platform used by millions of developers, the attackers managed to fly under the radar of traditional security filters.
The attack doesn’t start with a shady link from a dark corner of the web. Instead, it begins with TrustBastion, an app that markets itself as a top-tier security tool.
According to Bitdefender, “In the most likely scenario, a user encounters an advertisement or similar prompt claiming the phone is infected and urging the installation of a security platform, often presented as free and packed with ‘useful’ features.”
Once a user sideloads this “security” app, the trap is sprung. The app immediately prompts an update, using visuals that closely mimic official Google Play and Android system dialogs. When the user clicks “update,” the app doesn’t open the Play Store; instead, it contacts Hugging Face to retrieve the update.
One of the most alarming parts of this discovery is the sheer speed of the operation.
The hackers used a technique called “server-side polymorphism,” which means they constantly churned out slightly different versions of the malware to confuse antivirus software.
Bitdefender’s analysis of the Hugging Face repository revealed a staggering level of activity: “New payloads were generated roughly every 15 minutes. At the time of investigation, the repository was approximately 29 days old and had accumulated more than 6,000 commits.”
While Hugging Face does use ClamAV to scan uploads, Bitdefender notes that the “platform doesn’t seem to have meaningful filters that govern what people can upload,” allowing these thousands of variations to sit on legitimate servers.
Once the second-stage payload is on the device, it asks for permission to use “Accessibility Services.” In the hands of a hacker, this is the “skeleton key” to your phone. Bitdefender reports that “Once granted, this permission gives the RAT broad visibility into user interactions across the device.”
With this access, the malware can:
Even when one part of the operation gets shut down, the hackers simply pivot.
After the TrustBastion repository disappeared in late December 2025, a new one called “Premium Club” popped up almost immediately. Bitdefender researchers confirmed that “While it may appear to be a different application, it uses the same underlying code.”
Hugging Face has since removed the malicious datasets after being notified by the security firm.
Separate research on AI giants leaking GitHub secrets shows exposed credentials remain a common risk even for top AI companies.
Aminu Abdullahi is a B2C and B2B technology and finance writer with more than six years of experience covering enterprise IT, cybersecurity, cloud computing, artificial intelligence, fintech, business software, and emerging technologies. His work has appeared in publications including TechRepublic, eWEEK, Channel Insider, Geekflare, Enterprise Networking Planet, eSecurity Planet, CIO Insight, and Webopedia. With a technical background in computer science, he specializes in translating complex technology topics into clear, accessible content for business leaders and decision-makers.
