Hugging Face Repositories Abused in New Android Malware Campaign
Hugging Face is widely used by researchers and developers to host machine learning models, datasets, and tools. But researchers say attackers have found a way to exploit that trust.
Cybersecurity researchers at Bitdefender have uncovered a massive campaign in which attackers are using Hugging Face’s trusted infrastructure to host and spread a malicious Android Remote Access Trojan (RAT). By hiding their malicious code on a platform used by millions of developers, the attackers managed to fly under the radar of traditional security filters.
The attack doesn’t start with a shady link from a dark corner of the web. Instead, it begins with TrustBastion, an app that markets itself as a top-tier security tool.
According to Bitdefender, “In the most likely scenario, a user encounters an advertisement or similar prompt claiming the phone is infected and urging the installation of a security platform, often presented as free and packed with ‘useful’ features.”
Once a user sideloads this “security” app, the trap is sprung. The app immediately prompts an update, using visuals that closely mimic official Google Play and Android system dialogs. When the user clicks “update,” the app doesn’t open the Play Store; instead, it contacts Hugging Face to retrieve the update.
Thousands of versions to dodge detection
One of the most alarming parts of this discovery is the sheer speed of the operation.
The hackers used a technique called “server-side polymorphism,” which means they constantly churned out slightly different versions of the malware to confuse antivirus software.
Bitdefender’s analysis of the Hugging Face repository revealed a staggering level of activity: “New payloads were generated roughly every 15 minutes. At the time of investigation, the repository was approximately 29 days old and had accumulated more than 6,000 commits.”
While Hugging Face does use ClamAV to scan uploads, Bitdefender notes that the “platform doesn’t seem to have meaningful filters that govern what people can upload,” allowing these thousands of variations to sit on legitimate servers.
Total control over your phone
Once the second-stage payload is on the device, it asks for permission to use “Accessibility Services.” In the hands of a hacker, this is the “skeleton key” to your phone. Bitdefender reports that “Once granted, this permission gives the RAT broad visibility into user interactions across the device.”
With this access, the malware can:
- Record your screen in real time
- Capture your lock screen password
- Display “fraudulent authentication interfaces” to steal credentials for apps like Alipay and WeChat
A game of digital whack-a-mole
Even when one part of the operation gets shut down, the hackers simply pivot.
After the TrustBastion repository disappeared in late December 2025, a new one called “Premium Club” popped up almost immediately. Bitdefender researchers confirmed that “While it may appear to be a different application, it uses the same underlying code.”
Hugging Face has since removed the malicious datasets after being notified by the security firm.
Separate research on AI giants leaking GitHub secrets shows exposed credentials remain a common risk even for top AI companies.
About Author
