Hugging Face security analysis: ~70,000 live secrets and API keys, private repos, and leaky pics! 🤖🤗💦🔑😈

In his recent research, security researcher Dylan Ayrey presents the hidden security, privacy, and legal risks within the massive AI ecosystem surrounding Hugging Face, especially the various GitHub datasets that contain API keys, passwords, and other secrets.

What the author found after scanning about 25% of Hugging Face:

1️⃣ Around 70,000 unique live secrets and API keys

2️⃣ About 1,800 private company repositories

3️⃣ API keys embedded directly in PNG metadata (yes!)

API keys were hidden inside PNG image files because a popular AI image tool (ComfyUI) could embed the entire workflow - including prompts and API credentials.

Very interesting presentation and quite useful research... Especially for attackers. Enjoy, and please share it.

More details:

Follow the data to learn the secret [Youtube]: https://lnkd.in/dbJKQX75