Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Hugging Face token exposure: what it means for IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Exposed API credentials can extend from code repositories into model, dataset, and supply-chain compromise, according to Lasso Security, which found 1,681 valid Hugging Face and GitHub tokens, including 655 with write permissions, and mapped access across 723 organisation accounts. Hard-coded tokens turn LLM platforms into identity-risk amplifiers, not just development tools.

NHIMG editorial — based on content published by Lasso Security: 1500+ HuggingFace API Tokens were exposed, leaving millions of Meta-Llama, Bloom, and Pythia users vulnerable

By the numbers:

Questions worth separating out

Q: What breaks when Hugging Face API tokens are exposed in public code?

A: Exposed Hugging Face API tokens turn repository access into a live identity compromise because they can reveal ownership, permissions, and in some cases write access.

Q: Why do exposed model registry tokens create supply-chain risk?

A: Because they can change shared artifacts that downstream teams trust.

Q: How do security teams know if NHI tokens in AI workflows are actually under control?

A: Look for three signals: every token has a named owner, write scopes are rare and justified, and exposure triggers automated revocation.

Practitioner guidance

  • Inventory Hugging Face and GitHub tokens as governed NHI credentials Create a register of model registry tokens, classify them by scope and owner, and assign a revocation path for each token type.
  • Restrict write permissions on shared models and datasets Separate read-only consumption from repository and dataset modification rights, then limit write access to named maintainers.
  • Automate exposure detection and revocation Scan public repositories and internal code reviews for token patterns, then revoke exposed credentials immediately and notify owners.

What's in the full report

Lasso Security's full research covers the operational detail this post intentionally leaves for the source:

  • Search methodology used to locate exposed Hugging Face and GitHub tokens at scale.
  • Examples of how whoami validation exposed token owners, memberships, and permissions.
  • Write-access demonstrations against model repositories and datasets.
  • The remediation response used after exposed tokens were reported and revoked.

👉 Read Lasso Security's research on exposed Hugging Face API tokens →

Hugging Face token exposure: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Hard-coded AI platform tokens are now identity assets, not just secrets: The article shows that a leaked Hugging Face token can expose ownership, membership, and permission data, which means the token is carrying a live delegation relationship. That makes it an NHI governance object with lifecycle, scope, and revocation requirements. Practitioners should treat model registry tokens as controlled identities that need assignment and offboarding discipline.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.

A question worth separating out:

Q: Should organisations treat model registries differently from other code platforms?

A: Yes, because model registries can carry both identity privileges and supply-chain impact at the same time. A leaked token may not just expose a repository; it can change the artifact that hundreds of downstream users trust. That means model registries need IAM, NHI, and software supply-chain controls together, not in separate silos.

👉 Read our full editorial: Exposed Hugging Face tokens show how LLM supply chains fail



   
ReplyQuote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Hard-coded AI platform tokens are now identity assets, not just secrets: The article shows that a leaked Hugging Face token can expose ownership, membership, and permission data, which means the token is carrying a live delegation relationship. That makes it an NHI governance object with lifecycle, scope, and revocation requirements. Practitioners should treat model registry tokens as controlled identities that need assignment and offboarding discipline.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.

A question worth separating out:

Q: Should organisations treat model registries differently from other code platforms?

A: Yes, because model registries can carry both identity privileges and supply-chain impact at the same time. A leaked token may not just expose a repository; it can change the artifact that hundreds of downstream users trust. That means model registries need IAM, NHI, and software supply-chain controls together, not in separate silos.

👉 Read our full editorial: Exposed Hugging Face tokens show how LLM supply chains fail



   
ReplyQuote
Share: