Hugging Face BlogAI Agent

安全事件披露 — 2026年7月

2026年7月16日 00:00

重點摘要

返回文章列表 安全事件披露 — 2026年7月 發表於 2026年7月16日 GitHub 更新 點贊 13 +7 系統 系統 關注 本週稍早,我們偵測到並應對了一起針對部分生產基礎設施的入侵事件。這起事件與我們以往處理的任何情況有一個重要不同:它全程由自主AI代理系統驅動——而我們也主要依靠自身的AI系統偵測並剖析了它。我們發現未經授權的存取行為涉及一組有限的內部資料集,以及多項服務所使用的憑證。我們仍在評估是否有合作夥伴或客戶資料受到影響,如有將直接聯繫相關方。目前沒有發現任何公開、面向用戶的模型、資料集遭到竄改的證據。

站內 AI 整理稿

Back to Articles Security incident disclosure — July 2026 Published July 16, 2026 Update on GitHub Upvote 13 +7 system system Follow Earlier this week, we detected and responded to an intrusion into part of our production infrastructure. This one was different from anything we had handled before in one important way: it was driven, end to end, by an autonomous AI agent system - and we detected and dissected it largely with AI of our own. We identified unauthorized access to a limited set of internal datasets and to several credentials used by our services. We are still completing our assessment of whether any partner or customer data was affected, and we will contact any affected parties directly as required. We have found no evidence of tampering with public, user-facing models, datasets, or Spaces, and our software supply chain (container images and published packages) was verified clean. What happened The intrusion started where AI platforms are uniquely exposed: the data-processing pipeline. A malicious dataset abused two code-execution paths in our dataset processing (a remote-code dataset loader and a template-injection in a dataset configuration) to run code on a processing worker. From there, the actor escalated to node-level access, harvested cloud and cluster credentials, and moved laterally into several internal clusters over a weekend. The campaign was run by an autonomous agent framework (appearing to be built on an agentic security-research harness - used LLM still not known) executing many thousands of individual actions across a swarm of short-lived sandboxes, with self-migrating command-and-control staged on public services. This matches the "agentic attacker" scenario the industry has been forecasting. What we did Fixed the root vulnerability: the dataset code-execution paths used for initial access are closed. Eradicated the attacker's foothold across the affected clusters and rebuilt the compromised nodes. Revoked and rotated the affected credentials and tokens, and began a broader precautionary rotation of secrets. Deployed additional guardrails and stricter admission controls on our clusters. Improved our detection and alerting so a high-severity signal pages a responder in minutes, any day of the week. We are working with outside cybersecurity forensic specialists to investigate the issue and review our security policies and procedures. Finally, we have also reported this incident to law enforcement agencies. For our community As a precaution, we recommend rotating any access tokens and reviewing recent activity on your account. If you believe you are affected, or want to report a security concern, contact us at [email protected]. We are grateful to the teams across Hugging Face who responded around the clock, and we are sorry for any disruption this caused. Security is never finished; we will keep raising the bar. Analyzing an AI-driven intrusion The attack was initially surfaced through AI-assisted detection. Our anomaly-detection pipeline uses LLM-based triage over security telemetry to separate real signals from the daily noise, and it was the correlation of those signals that flagged the compromise. To understand what a swarm of tens of thousands of automated actions did, we ran LLM-driven analysis agents over the full attacker action log, comprised of more than 17,000 recorded events. This allowed us to reconstruct the timeline, extract indicators of compromise, map the credentials touched, and separate genuine impact from decoy activity. Thanks to this approach, we were able to do in hours what would usually take days, and match the adversary's speed. The choice of models we could use for this analysis was constrained in a way we did not anticipate; we describe this below. The asymmetry problem When we started the log analysis, we first used frontier models behind commercial APIs. This did not work: the analysis requires submitting large volumes of real attack commands, exploit payloads, and C2 artifacts, and these requests were blocked by the providers' safety guardrails, which cannot distinguish an incident responder from an attacker. We ran the forensic analysis instead on GLM 5.2, an open-weight model, on our own infrastructure. This had a second benefit: no attacker data, and none of the credentials it referenced, left our environment. This experience points to a gap worth planning for. We do not know which model powered the attacker's agents, whether a jailbroken hosted model or an unrestricted open-weight one; either way, the attacker was bound by no usage policy, while our own forensic work was blocked by the guardrails of the hosted models we first tried. The practical lesson for defenders: have a capable model you can run on your own infrastructure vetted and ready before an incident, both to avoid guardrail lockout and to keep attacker data and credentials from leaving your environment. This is not an argument against safety measures on hosted models, and we are sharing this feedback with the providers concerned. What this means Autonomous, AI-driven offensive tooling is no longer theoretical. It lowers the cost of running a broad, patient, multi-stage campaign, and it operates at machine speed. Defending an online platform now means treating the data and model surface as a first-class attack surface, and using AI on defense to keep pace. We will keep investing there, and keep sharing what we learn. Community EditPreview Upload images, audio, and videos by dragging in the text input, pasting, or clicking here. Tap or paste here to upload images Comment · Sign up or log in to comment Upvote 13 +1

Related

相關文章

接盤Manus的騰訊,何嘗不是另一個焦慮的Meta?

騰訊計劃以約20億美元從Meta手中回購AI Agent公司Manus,此舉反映其對人工智慧轉型的焦慮。騰訊在AI領域的佈局策略與Meta高度相似,包括高薪挖角和大量投資,但Meta自身的AI發展也遭遇瓶頸,騰訊能否走出不同路徑仍待觀察。

剛剛
智東西AI Agent

英偉達端出開放模型,助攻日本AI生態進化

智東西(公眾號:zhidxcom) 作者 | ZeR0 編輯 | 漠影 智東西7月16日報道,英偉達今日宣佈,日本領先的企業、初創公司和研究機構正在使用NVIDIA Nemotron開放模型、數據和庫構建行業專用AI模型和應用,從而加速開發適合日本語言、行業和勞動力的AI。 開放模型是國家AI生態系統的基礎,使組織能夠定製、部署和管理他們所控制的AI。

38 分鐘前
量子位AI Agent

用世界模型給VLA當教練,原力靈機發布DW0.5,把RL搬進虛擬世界

原力靈機推出具身世界模型DW0.5,將其作為VLA模型後訓練的高保真仿真器,透過在虛擬世界中執行強化學習,大幅降低對真實機器人數據的需求。該模型整合影片專家、動作專家和價值專家三大模組,能預測動作後果並提供密集反饋,使後訓練真機數據需求驟降60%,整體成本下降40%,並在打氣球、晾衣服等任務中顯著提升成功率。

1 小時前

眾籌近400萬美金,這家明星AI體育硬件公司做了款多合一教練機器人 |產品觀察

在首款網球發球機熱銷後,AI 體育硬體新創龐伯特(Pongbot)近期推出了多合一 AI 教練機器人 Aura,進一步將觸角從單一運動訓練工具延伸至跨項目運動場景。這款產品在群眾募資平台 Kickstarter 上線當天,僅五小時就募得超過 100 萬美元,最終累計金額接近 400 萬美元,顯示市場對這類整合型智慧教練產品的強烈興趣。 龐伯特是一級市場備受關注的標的,2025 年半年內完成三輪融資,累計金額達數億元人民幣;旗下產品已在全球累積超過 30 萬用戶,設備總發球量突破 20 億次。

2 小時前