Logan Kelly
An autonomous AI agent breached Hugging Face's dataset pipeline, harvesting credentials across clusters. The governance gap it exposed — and how to close it.

On July 16, 2026, Hugging Face disclosed that an autonomous AI agent had run a complete intrusion against their production infrastructure — start to finish, no human attacker at the keyboard. The agent exploited two code-execution paths in Hugging Face's dataset processing pipeline, escalated to node-level access, harvested cloud and cluster credentials, and moved laterally across internal clusters over a weekend. It executed many thousands of individual actions across a swarm of short-lived sandboxes, with self-migrating command-and-control staged on public services. The company found no evidence of tampering with public models, datasets, or Spaces, but confirmed unauthorized access to internal datasets and several service credentials.
This was not a proof of concept. It was a production attack, against a named company, run by an AI agent. The agentic attacker scenario that the security industry has been forecasting for years arrived without announcement on a Friday afternoon.
What Actually Happened — and Why the Dataset Pipeline Was the Entry Point
AI platforms are uniquely exposed at the data layer. Hugging Face's breach started where any sufficiently automated platform would be vulnerable: in the code that processes untrusted data at scale. A malicious dataset abused two code-execution paths — a remote-code dataset loader and a template injection in a dataset configuration field — to run code on a processing worker. From there, the agent escalated privileges and harvested cloud and cluster credentials.
The attacker's agent framework then moved laterally into several internal clusters over a weekend, executing what Hugging Face described as "many thousands of individual actions" across a swarm of short-lived sandboxes. The command-and-control infrastructure was self-migrating, staged on public services to blend in with normal traffic.
Hugging Face detected the breach using AI: an anomaly-detection pipeline with LLM-based triage over security telemetry, correlating signals across their environment. They then ran LLM-driven forensic analysis agents over the full attacker action log, which contained more than 17,000 recorded events. The AI-assisted forensics let them reconstruct the timeline, extract indicators of compromise, map the credentials touched, and separate genuine impact from decoy activity in hours rather than days.
But the forensic work ran into a problem that deserves more attention than it has received so far.
Why Agentic Attackers Break the Defender's Playbook
The attacker's agent operated under no usage policy. It could submit exploit payloads, attack commands, and credential-harvesting routines to whatever model powered it without restriction. Hugging Face's forensic team, trying to analyze those same artifacts, found they could not: the commercial API models they first tried blocked the requests because their safety guardrails cannot distinguish an incident responder from an attacker.
Hugging Face's own description of this is worth reading directly: "the attacker was bound by no usage policy, while our own forensic work was blocked by the guardrails of the hosted models we first tried." They resolved this by running forensic analysis on GLM 5.2, an open-weight model, on their own infrastructure — keeping attacker data and credentials from leaving their environment in the process.
This asymmetry is structural. Attackers, whether human or agentic, will always self-select toward systems with no usage policy. Defenders using AI for detection, triage, or response will face guardrails that are designed for the average API consumer, not for security workflows that require handling actual malicious payloads. The guardrail that correctly stops someone from asking a chatbot how to write malware also stops an incident responder from submitting a captured C2 payload for analysis.
What the Attack Looked Like From a Governance Lens
Strip out the AI angle for a moment. The structural failure here is familiar: an external-facing component processed untrusted input with code-execution privileges. The mitigations are also familiar — sandbox isolation, least-privilege permissions on the processing tier, input validation before execution.
What's new is the attack's execution model. A human attacker conducting this campaign over a weekend would have needed sustained attention, skill across multiple domains (initial access, privilege escalation, lateral movement, credential harvesting), and the discipline to avoid detection. An AI agent needs none of that. It runs continuously, retries failed steps automatically, adapts to partial successes, and generates no fatigue. Sysdig documented a separate agentic ransomware operation, JADEPUFFER, in July 2026 where the attacking agent recovered from a failed login attempt in 31 seconds before pivoting to a successful approach.
The attacker's advantage isn't a new exploit technique. It's machine-speed persistence applied to years-old attack paths. The dataset pipeline vulnerability that enabled this breach was not novel. The execution model was.
What Security Teams Should Check Right Now
Before you get to governance tooling, there are specific checks worth doing this week:
Your data processing tier. Any component that loads and executes code from untrusted external sources — dataset loaders, plugin processors, configuration parsers — should be running in strict sandboxes with no network egress and minimal host privileges. If it can run code, assume it will be used to do so.
Your ML pipeline credentials. Credentials used by your training and inference infrastructure should be scoped to exactly what each job requires. If a dataset processing worker can reach production cluster credentials, that scope is too wide. Rotate anything touched by an external-facing pipeline that hasn't been audited recently.
Your AI tooling for security workflows. If your team uses hosted AI models for threat intelligence, log analysis, or incident response, test now whether those models will accept security-relevant artifacts (CVE payloads, obfuscated commands, credential patterns). If they won't, you need a plan for in-house or self-hosted forensic AI before you're under active incident pressure.
Your agent telemetry. If you're running AI agents anywhere in your pipeline — for automation, data processing, or internal tooling — confirm you have complete execution traces for each run. An AI-driven forensic analysis of 17,000 attacker events is only possible because Hugging Face had 17,000 events to analyze. Agents with no execution log leave nothing to reconstruct from.
How Waxell Handles This
The Hugging Face breach illustrates two distinct problems: an attacker's AI agent operating without any execution constraints, and a defender's AI agents being blocked by blunt content policies at the moment they were needed most.
Waxell Observe addresses the first problem at the instrumentation layer. Two lines of code initialize the SDK; from there, every model call, tool use, and execution step produces a structured trace. Waxell auto-instruments 200+ libraries across frameworks including LangChain, CrewAI, LiteLLM, and AutoGen without requiring changes to existing agent code. The trace is what makes agentic attacker behavior detectable: you're not watching for known signatures, you're watching for execution patterns that deviate from expected behavior — an agent making thousands of short-lived external calls, touching credentials outside its normal scope, or escalating tool use across a weekend. Waxell's 50+ policy categories include rate-limiting, kill switches, scope enforcement, and identity policies that can flag or halt exactly these patterns at runtime.
For organizations running external AI agents or MCP-connected tools — the category that includes Claude Desktop, Cursor, and similar tools your team may already have deployed — Waxell MCP Gateway adds a second enforcement layer. Every tool call routes through the gateway, where tool fingerprinting tracks each tool across five trust states (Pending, Drift, Trusted, Blocked, Removed). A tool that starts behaving anomalously — requesting different permissions than it was fingerprinted for, or calling out to endpoints it hasn't reached before — surfaces immediately. Human-in-the-loop approval gates can hold any destructive or high-privilege action for review before it executes, with 30-second policy propagation when you need to lock something down fast. Secret blocking ensures credentials don't leave the gateway even if an agent is coerced into exfiltrating them.
The asymmetry problem — defenders' AI blocked while attackers' AI runs free — requires a different answer: a governed runtime where your own security-context AI runs under policies you control, not policies designed for the consumer API median. Waxell Runtime provides isolated execution with policy enforcement before each step and durable checkpointing. Security workflows that need to handle malicious artifacts can be granted the access they require, scoped precisely, without lifting restrictions across your entire AI environment.
Your agents are already running. The question is whether you'll know when one of them isn't yours.
Start free at waxell.dev/signup
FAQ
What is an agentic attacker?
An agentic attacker is an autonomous AI agent configured to conduct offensive operations — reconnaissance, credential theft, lateral movement, data exfiltration, or destruction — without human operators directing each step. Unlike scripted attack tools, agentic attackers can adapt to unexpected conditions in real time, retry failed steps with modified parameters, and operate continuously across extended time windows. The Hugging Face breach (July 2026) is the first public named-company incident where an agentic attacker ran a complete, multi-stage intrusion end to end.
How did the attacker get into Hugging Face's infrastructure?
The intrusion started with a malicious dataset that exploited two code-execution paths in Hugging Face's dataset processing pipeline: a remote-code dataset loader and a template injection vulnerability in a dataset configuration field. Once code was running on a processing worker, the agent escalated privileges, harvested cloud and cluster credentials, and moved laterally across internal clusters. No public models, datasets, or user-facing Spaces were tampered with.
Why couldn't Hugging Face's forensic team use commercial AI models for incident response?
Commercial AI APIs apply safety guardrails that block submission of attack commands, exploit payloads, and C2 artifacts — the exact content a forensic team needs to analyze during an incident. The guardrails are designed for average API consumers and cannot distinguish an incident responder from an attacker. Hugging Face resolved this by running forensic analysis on GLM 5.2, an open-weight model, on their own infrastructure, which also kept sensitive attacker data and captured credentials from leaving their environment.
What is the asymmetry problem in AI security?
The asymmetry problem refers to the structural advantage agentic attackers have over AI-assisted defenders: attackers choose systems without usage policies, while defenders' AI tools are subject to content restrictions that can block legitimate security work. Hugging Face explicitly described this in their disclosure: "the attacker was bound by no usage policy, while our own forensic work was blocked by the guardrails of the hosted models we first tried." The practical mitigation is to have a capable, self-hosted or privately governed AI available for security operations before you need it under incident pressure.
How does Waxell detect agentic attacker behavior?
Waxell Observe instruments every model call and tool use in an agent's execution, producing a complete trace per run. Agentic attackers generate distinctive execution patterns — high-frequency short-lived tool calls, access to credentials outside normal scope, lateral tool use across services an agent doesn't normally reach. Waxell's policy engine, with 50+ policy categories covering rate-limiting, identity, scope, and kill switches, can flag or halt these patterns at runtime. The MCP Gateway adds tool fingerprinting that detects when a tool's behavior diverges from its registered baseline.
Is this just a Hugging Face problem?
No. Any system that processes code from untrusted external inputs at scale is exposed to the same class of attack. The dataset pipeline vulnerability is specific to Hugging Face, but the structural risk — untrusted input with code-execution privileges, credentials scoped too broadly, agents with no runtime monitoring — is present in most organizations running AI at production scale. The agentic attacker model lowers the skill floor for conducting this type of campaign, which means the attack surface has effectively grown.
Sources:
Agentic Governance, Explained




