Supply-chain threat intelligence
Risk score
92
Indexed incident for extra-huggingface (pypi).
The package presents itself as part of the Hugging Face ecosystem but actually ships a remote-access agent. extra_huggingface/__init__.py re-exports run_agent, run_task, agent_info, and a persistence primitive from a bundled 8.5 MB Windows PE module extra_huggingface/_native.pyd. The CLI hardcodes DEFAULT_SERVER = "http://91.92.40.212:8080" and provides subcommands run, install-autostart, remove-autostart, and autostart-status. When invoked, run_agent(server=...) polls the attacker-controlled server at 91.92.40.212:8080 and dispatches tasks delivered by that server on the installer's machine; install_autostart() calls the native persistence("install", server) to register the agent for execution after login/boot so the C2 connection survives reboot. The actual networking, command dispatch, and persistence logic live in the opaque native binary, with the Python layer acting as a thin shim. The package name impersonates the popular huggingface/huggingface_hub namespace while the metadata homepage is the placeholder github.com/example/extra_huggingface, consistent with a typosquat lure targeting ML developers.
When starting the module, package activates RAT-capabilities, which includes exfiltrating sensitive data. Though the package is claimed to be for educational usage, the name and default actions suggest different intentions.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-extra-huggingface
Reasons (based on the campaign):
rat
exfiltration-browser-data
typosquatting
native-extension
persistence
infostealer
Affected versions
Indicators
Timeline