HUGGING Face, an open source store for AI models and components, is exposed to a weaponization vector through a tokenizer library file used by many models. A cyberattacker could exploit the attack by editing a locally stored tokenizer[.]json file to hijack model outputs and exfiltrate data, effectively providing visibility into every URL the model accesses, API parameters, and embedded credentials, according to HiddenLayer security researcher Divyanshu Divyanshu.
Hidden Layer tested the attack on Hugging Face models run locally with SafeTensors, ONNX, and GGUF formats, noting that the problem relies on modifying local files and would not affect models run via Hugging Face’s Inference API. The research highlights that a tampered tokenizer[.]json is structurally identical to a legitimate one and can pass through the normal model distribution pipeline, meaning distribution of poisoned models could occur via public repositories.
Divyanshu says there are currently no public, freely available automated scanners for this specific issue, so organisations are urged to scan third‑party models and consider model signing in production. This story was published on 12 May 2026.