Supply-chain threat intelligence

Incident detail

criticalpypi·typosquatting·osv

Malicious code in extra-huggingface (PyPI)

extra-huggingface

Risk score

92

AI summary

Indexed incident for extra-huggingface (pypi).

Description

The package presents itself as part of the Hugging Face ecosystem but actually ships a remote-access agent. extra_huggingface/__init__.py re-exports run_agent, run_task, agent_info, and a persistence primitive from a bundled 8.5 MB Windows PE module extra_huggingface/_native.pyd. The CLI hardcodes DEFAULT_SERVER = "http://91.92.40.212:8080" and provides subcommands run, install-autostart, remove-autostart, and autostart-status. When invoked, run_agent(server=...) polls the attacker-controlled server at 91.92.40.212:8080 and dispatches tasks delivered by that server on the installer's machine; install_autostart() calls the native persistence("install", server) to register the agent for execution after login/boot so the C2 connection survives reboot. The actual networking, command dispatch, and persistence logic live in the opaque native binary, with the Python layer acting as a thin shim. The package name impersonates the popular huggingface/huggingface_hub namespace while the metadata homepage is the placeholder github.com/example/extra_huggingface, consistent with a typosquat lure targeting ML developers.

When starting the module, package activates RAT-capabilities, which includes exfiltrating sensitive data. Though the package is claimed to be for educational usage, the name and default actions suggest different intentions.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-extra-huggingface

Reasons (based on the campaign):

  • rat

  • exfiltration-browser-data

  • typosquatting

  • native-extension

  • persistence

  • infostealer

Technical details

Affected versions

=0.4.0

Indicators

  • affected version=0.4.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents