Threat Actors Abuse Hugging Face and ClawHub for Malware Distribution

Security researchers have documented in-the-wild campaigns that use AI distribution platforms for malware delivery. Per the Acronis Threat Research Unit (TRU), attackers leveraged Hugging Face repositories as staging infrastructure for payloads and abused the OpenClaw skill ecosystem to distribute trojans, cryptominers and the AMOS macOS stealer. Acronis TRU reports 575+ malicious skills across 13 developer accounts, and includes Indicators of Compromise and detection artifacts in its writeup. CyberPress and Socket Research independently analysed the OpenClaw/ClawHub marketplace and report hundreds of malicious packages; CyberPress states 314 skills were flagged by multiple security vendors and links a prolific publisher to the account "hightower6eu." CybersecurityNews reports that OpenClaw has integrated VirusTotal Code Insight scanning into ClawHub to automate detection of malicious skills.

Editorial analysis - technical context: Researchers describe multiple technical patterns used across campaigns, including multi-stage droppers, password-protected ZIP archives, obfuscated Base64 shell scripts, in-memory execution, process injection, and covert command-and-control (C2) channels. A notable technique documented by Acronis TRU is indirect prompt injection, where hidden instructions embedded in skill metadata or content can cause an agent to fetch and execute external code or run system commands on a user's behalf. These attack chains combine social engineering (masquerading as useful automation tools) with packaging patterns that evade simple signature-based scanning.

The incidents highlight a growing supply-chain and distribution risk specific to extensible AI agent ecosystems and community marketplaces. Unlike traditional package managers, agent skills often include metadata that can instruct runtime actions, creating novel abuse surfaces where natural-language-driven behaviors or auxiliary installers trigger secondary payload retrieval. Automated scanning integrations, such as the reported OpenClaw-VirusTotal Code Insight pipeline, target this class of risk but face limits when attackers use obfuscation, encrypted archives, or dynamic hosting on trusted platforms like Hugging Face.

For practitioners: Monitor adoption of automated code-analysis and runtime sandboxing for agent skills; watch for expanded use of trusted hosting as staging infrastructure; track vendor detections and emerging IOCs from Acronis TRU, Socket Research, Bitdefender, and VirusTotal; and evaluate packaging standards (deterministic bundles, signed metadata, hash checks) for skills. Observers should also track whether marketplaces adopt mandatory pre-publication scanning and clearer execution permission models for agent actions.