Namespace Recycling Leaves Thousands of AI Projects Vulnerable

An AI supply-chain risk analyzed by Unit 42 centers on “Model Namespace Reuse,” a condition where model identifiers on public hubs can be reclaimed and abused after account changes. On platforms that fetch models by the conventional Author/ModelName string, pipelines often trust the name rather than the current owner or commit. Unit 42 explains that after an author or organization disappears, “Anyone can re-register a deleted namespace.” In practice, an attacker recreates the original path and uploads a look-alike repository; downstream jobs that still point to the legacy name then pull the attacker’s content without errors. The risk also appears after ownership transfers: if the original namespace is later freed and re-registered by an adversary, cached redirects can be bypassed and the malicious model takes precedence. As Unit 42 puts it, “When a user or organization is deleted from Hugging Face, its unique namespace does not become permanently unavailable. Instead, these identifiers return to a pool of available names, allowing another user to later create an organization with the same name.”

Unit 42 demonstrates that the issue is not theoretical by walking through case studies where reclaimed namespaces were used to deliver models capable of executing arbitrary code upon deployment. In one example, a verified catalog entry referencing a deleted author could still be deployed; once the team re-registered that author and replaced the model under the same path, any deployment using the old name fetched their build, which initiated a reverse shell back to the researchers. A related scenario involves ownership transfer: the hub sensibly redirects old names to the new owner, keeping workloads running, but if the original namespace is later deleted and then re-registered by an attacker, the redirection can be subverted. Unit 42 distinguishes the two precipitating states by behavior—deletion yields downtime and 404s until a takeover fills the gap, while transfers return 307 redirects that quietly mask the shift until the original name becomes reusable. Across both paths, the common failure mode is reliance on the mutable namespace rather than an immutable content reference.

Beyond cloud model catalogs, Unit 42 found the same pattern embedded in open-source code and secondary registries. Thousands of public repositories hard-code Author/ModelName in scripts, defaults, examples, and notebooks; when those authors vanish or move, an attacker who reclaims the name can push altered artifacts that are automatically picked up at build or runtime. Model registries that mirror public hubs exacerbate the blast radius: once a reusable namespace is ingested upstream, the tainted entry propagates to users who never touched the original hub. The net effect is a classic supply-chain cascade—legitimate pipelines continue to “work,” while the underlying content has changed owners and behavior. Unit 42 stresses that this is a systemic integrity problem across the AI ecosystem: trusting a name alone is not a sufficient basis for deployment decisions, especially when names can be recycled.

Unit 42 recommends practical controls that map cleanly to software-supply-chain hygiene. First, pin by immutable identifiers (for example, a specific commit/revision) rather than the floating latest, so pipelines cannot silently ingest changed content. Second, clone and serve critical models from a controlled registry or internal storage after vetting, breaking runtime dependency on external namespaces. Third, continuously scan codebases for reusable model references (including defaults and documentation), and treat those references like any third-party dependency subject to review and policy. Finally, build monitoring around model-load paths: alert on unexpected namespace-to-hash changes, blocked redirects, or deployments from authors that recently reappeared. Taken together, the findings show how namespace reuse can lead directly to remote code execution during model deployment, and why identity (commits, digests, or signed provenance) must replace mutable names as the trust anchor in AI pipelines.