Malicious Jupyter Notebooks Distributing Cryptojacking Payloads via Open-Source AI Model Repositories on Hugging Face

Executive Summary: Between Q4 2025 and Q1 2026, Oracle-42 Intelligence observed a surge in malicious Jupyter notebooks hosted on Hugging Face's open-source AI model repositories. These notebooks contained obfuscated cryptojacking payloads that exploited computational resources of unsuspecting developers and researchers to mine cryptocurrency. The campaign capitalized on the trust in AI model sharing ecosystems, demonstrating a critical gap in supply-chain security for AI development tools. Our analysis reveals sophisticated evasion techniques, lateral movement potential, and implications for cloud-based AI workloads.

Key Findings

Over 120 malicious Jupyter notebooks were identified across 47 Hugging Face repositories, with a 300% increase in Q1 2026 compared to Q4 2025.
Payloads included XMRig and custom Monero miners, evading detection via dynamic obfuscation and environment checks.
Attackers used dependency confusion and typosquatting to trick users into downloading malicious notebooks.
Some payloads contained worm-like capabilities, enabling lateral propagation within cloud environments using compromised credentials.
Hugging Face has since implemented automated scanning and revoked access for offending users, but the incident highlights systemic risks in AI supply chains.

Threat Landscape: How Cryptojacking Targets AI Development

The integration of AI development tools with cloud-based compute resources has created a lucrative attack surface. Developers routinely download pre-trained models and accompanying Jupyter notebooks from platforms like Hugging Face, GitHub, and Model Zoo. These notebooks often contain environment setup instructions, data preprocessing scripts, and inference pipelines—making them ideal vehicles for payload delivery.

The malicious notebooks in this campaign followed a consistent pattern:

Initial Access: Attackers uploaded notebooks with names mimicking popular models (e.g., "bert-base-uncased-jupyter.ipynb" instead of "bert-base-uncased").
Obfuscation: Payloads were hidden within legitimate-looking Python code using Base64, hex, or custom encoding.
Environment Check: Scripts verified they were running in a development environment (e.g., checking for Jupyter kernels or Docker containers) before activating the miner.
Persistence: Some variants installed cron jobs or systemd services to maintain access even after notebook execution.

Notable Observations:

Several payloads included reverse shells, enabling attackers to exfiltrate sensitive data or pivot to other systems.
One advanced variant used a custom neural network loader to download the miner only after verifying the host was part of a CI/CD pipeline.
Miners were configured to mine Monero (XMR), a privacy-focused cryptocurrency favored by threat actors due to its untraceable transactions.

Supply Chain Risks in AI Model Repositories

Hugging Face and similar platforms operate under a model of trust: users assume that shared artifacts are benign. However, the incident underscores critical vulnerabilities:

Lack of Automated Code Analysis: Static analysis tools often miss obfuscated or dynamically loaded payloads.
Dependency Hijacking: Attackers exploited missing or mismatched dependencies in notebooks to inject malicious code during installation.
Reputation Abuse: Threat actors created fake accounts with reputable usernames (e.g., "research-team", "nlp-lab") to lend credibility to malicious uploads.
Cloud Resource Exploitation: Once activated, miners consumed GPU/CPU cycles, increasing cloud costs and potentially violating service terms.

This campaign is part of a broader trend where adversaries weaponize AI ecosystems. Similar attacks have targeted PyPI packages and npm libraries, suggesting a coordinated effort to exploit open-source AI infrastructure.

Technical Analysis: Payloads, Evasion, and Propagation

Oracle-42 reverse-engineered several payloads and identified three primary evasion strategies:

1. Dynamic Code Execution

Payloads were embedded as strings or within dictionaries:

miner_config = {
  "enabled": False,
  "url": "stratum+tcp://pool.supportxmr.com:5555",
  "user": "45C2...",
  "pass": "x"
}

# Obfuscated activation
exec(base64.b64decode("...hidden...").decode())

The decode/exec pattern bypassed traditional static scanners, which rarely emulate Python execution environments.

2. Environment-aware Activation

Scripts contained logic to detect if they were running in a development context:

import sys
if "jupyter" in sys.modules or "ipykernel" in sys.modules:
    activate_miner()

This ensured miners only activated during legitimate use, reducing the chance of detection via idle resource monitoring.

3. Worm-like Propagation

One variant, dubbed "JupyterWorm", attempted to spread by:

Scanning ~/.jupyter/ for other notebooks.
Injecting malicious code into trusted notebooks.
Propagating via Git commits or shared cloud storage links.

This behavior suggests a future where AI supply chain attacks evolve into self-replicating malware within development environments.

Impact Assessment and Industry Response

The immediate impact included:

Resource Theft: Unwitting developers incurred significant cloud compute charges (average increase of $150/month per infected account).
Data Exposure: Reverse shells in some payloads potentially exposed API keys, model weights, or proprietary datasets.
Reputation Damage: Hugging Face's trust metric declined, with some users migrating to private repositories.

In response, Hugging Face implemented:

Automated sandboxed execution for new uploads.
Integration with VirusTotal and custom YARA rules for detecting obfuscated Python.
Mandatory code signing for repositories with high download counts.
Public disclosures and a bounty program for security researchers.

Still, challenges remain, including the scalability of manual review and the sophistication of future obfuscation techniques.

Recommendations for AI Developers and Organizations

To mitigate risks from malicious Jupyter notebooks and AI supply chain threats, we recommend the following:

For Individual Developers

Isolate Execution: Use containers or virtual machines for running untrusted notebooks.
Verify Sources: Only download notebooks from verified accounts with high reputation scores.
Audit Dependencies: Review pip/conda install commands in notebooks before execution.
Monitor Resource Usage: Use cloud-native tools (e.g., AWS CloudWatch, GCP Monitoring) to detect anomalous CPU/GPU usage.
Use Static Analyzers: Tools like Bandit, Semgrep, or PyRA can detect suspicious patterns in Python code.

For Organizations

Implement Supply Chain Security: Adopt frameworks like SLSA (Supply Chain Levels for Software Artifacts) for AI models and notebooks.
Enforce Code Signing: Require cryptographic signatures for internal and third-party AI artifacts.
Deploy Runtime Protection: Use anomaly detection in CI/CD pipelines to block malicious payloads before deployment.
Educate Teams: Conduct training on AI-specific attack vectors, including dependency confusion and notebook tampering.
Adopt Zero-Trust for AI Workloads: Restrict model and notebook access based on identity, location, and behavior.