Hugging Face Packages Weaponized With a Single File Tweak

Security researchers at HiddenLayer discovered that Hugging Face AI models can be weaponized by modifying a single tokenizer.json file. This plain-text file, which maps integer IDs to human-readable tokens, can be tampered to hijack model outputs, intercept tool call arguments, redirect URL tokens through attacker infrastructure, and exfiltrate credentials. The attack works on locally-run models in SafeTensors, ONNX, and GGUF formats and affects platforms like LlamaCPP and Ollama. A poisoned model still runs normally, making detection difficult. The primary attack vector involves uploading a tampered model to a public repository for downstream distribution. Mitigations include using checksums, cryptographic model signing, and scanning third-party models before deployment.