#hugging-face
4 articles exploring hugging-face. Expert insights and analysis from our editorial team.
Articles
PickleScan 1.0.4 Patches a CVSS 10.0 pkgutil.resolve_name Bypass and Six Missing Stdlib RCE Modules
PickleScan 1.0.4 patched three [critical bypasses](/articles/instructlab-cve-2026-6859-hardcoded-trust-remote-code-true-turns-any/), but the fixes expose a deeper flaw: denylist scanning cannot keep pickle safe. The structural fix is safetensors migration.
Hugging Face's Spring 2026 State of Open Source Report: China Hits 41% of Downloads, Industry Share Collapses From 70% to 37%
Chinese models hit 41% of Hugging Face downloads, overtaking the US, while independents hit 39%. Top 200 models capture half of all downloads, forcing Western procurement.
Marimo's CVE-2026-39987: 9h41m From Disclosure to Exploitation, NKAbuse Staged on Hugging Face
Marimo CVE-2026-39987 was exploited 9h41m after disclosure, with 662 events and a NKAbuse backdoor staged on Hugging Face. Same-day patching is the new minimum for AI tooling.
Hugging Face Skills: Pretrained Agent Capabilities
Hugging Face Skills are standardized, self-contained instruction packages that give coding agents—Claude Code, Codex, Gemini CLI, and Cursor—procedural expertise for AI/ML tasks. Launched in November 2025, the Apache 2.0-licensed library reached 7,500 GitHub stars by early 2026 and provides nine composable capabilities from model training to paper publishing.