Hugging Face discloses a July 2026 security incident
Hugging Face Blog·high signal
Hugging Face published a first-party security incident disclosure for July 2026 on its official blog. Given that the Hub is the default distribution point for model weights and datasets across the ecosystem, any compromise touching tokens or repository write access has direct supply-chain implications for anyone pulling models programmatically — builders should rotate HF tokens and audit repo write scopes.