LIVE FEED
FIRST LOOK First Look: Tencent Releases Hy3 295B MoE Open-Source Model with 256K Context // FIRST LOOK First Look: NVIDIA and Hugging Face Integrate GR00T 1.7 into LeRobot Open Robotics … // FIRST LOOK First Look: AWS Launches Multi-Turn RL Infrastructure for Amazon Nova on SageMaker … // FIRST LOOK First Look: OfficeCLI Ships Open-Source Microsoft Office Automation Suite for AI Agents // HIGH Indirect Prompt Injections Weaponised to Drain Crypto via AI Agents // HIGH SkillCloak Bypasses AI Agent Skill Scanners with 90%+ Success Rate // HIGH Amazon Q VS Code Extension Flaw Enables Cloud Credential Theft via MCP // FIRST LOOK First Look: Chinese AI Firms Launch LLMs Rivalling US Frontier Models in Capability // CRITICAL LLM Agents Weaponised to Deliver Ransomware via Langflow Platform // HIGH Poisoned MCP Tool Descriptions Enable Silent Data Exfiltration via AI Agents //
FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely RELEVANCE ▲ 5.5

First Look: Tencent Releases Hy3 295B MoE Open-Source Model with 256K Context

ATTACK SURFACE BRIEF MEDIUM ↗ RAPID
  • What shipped: Tencent releases Hy3, a 295B open-weight MoE model with 256K context under Apache 2.0.
  • Who's now exposed: Organisations deploying or evaluating open-weight LLMs, particularly those with supply chain governance or data residency requirements, are newly exposed.
  • Assess now: Inventory any downstream integrations or pipelines that may automatically pull or reference new Hugging Face model releases and validate provenance controls · Assess your 256K-context guardrail coverage — test whether existing prompt injection and output filtering defences hold at long-context boundaries · Apply standard open-weight model intake procedures: red-team for jailbreaks, audit training data claims, and document Chinese-origin provenance for compliance reporting
First Look: Tencent Releases Hy3 295B MoE Open-Source Model with 256K Context

Capability Overview

Tencent’s Hy Team has released Hy3, a 295B-parameter Mixture-of-Experts (MoE) model with approximately 21B active parameters per forward pass and an additional 3.8B multi-token prediction layer. Published under the permissive Apache 2.0 licence and distributed via Hugging Face (598GB full precision; 300GB in FP8 quantised form), Hy3 is immediately accessible to any actor with sufficient compute. A free inference tier via OpenRouter is available until 21 July 2026, further lowering the barrier to experimentation.

The model’s headline features from a defender’s perspective are its 256K token context window and its open-weight status. These two characteristics, in combination, shift the capability baseline for what a well-resourced or patient threat actor can accomplish without proprietary API access.

Attack Surface Analysis

Open weights as a force multiplier. Apache 2.0 with no use restrictions means any actor can download, fine-tune, and redistribute modified versions of Hy3. This enables the removal of safety filters, the embedding of backdoors into domain-specific fine-tunes, or the creation of uncensored variants distributed through informal channels. The model’s competitive performance against models 2–5× its parameter count means these derivative variants are practically capable, not merely symbolic.

256K context and guardrail evasion. Most deployed content filters and prompt injection defences are optimised for short-to-medium context lengths. At 256K tokens, adversaries can craft payloads that embed malicious instructions deep within large documents — contracts, codebases, research papers — where attention-based anomaly detection is less reliable. Defenders whose RAG pipelines or document summarisation workflows feed into Hy3 endpoints should specifically test injection at positions beyond 32K tokens.

Supply chain and provenance concerns. Hy3 is a Chinese-origin model released by a major commercial entity (Tencent). For organisations subject to data handling regulations, export controls, or internal AI governance policies that require model lineage documentation, this provenance introduces a compliance surface. The training data composition has not been independently audited, and the “50+ products” cited in post-training feedback represent an undisclosed set of Tencent services.

MoE opacity. Mixture-of-Experts architectures route tokens through different expert subnetworks, making consistent safety evaluation harder. Behaviours observed during red-teaming on one expert routing path may not generalise, creating gaps that jailbreak researchers are likely to probe systematically.

Framework Mapping

  • AML.T0044 (Full ML Model Access): Open weights grant adversaries complete model access for white-box attacks, fine-tuning, and behaviour profiling.
  • AML.T0054 (LLM Jailbreak): The model’s competitive capability makes it a high-value jailbreak target; uncensored derivatives are a foreseeable near-term artefact.
  • AML.T0051 (LLM Prompt Injection): The 256K context window directly expands the viable injection surface in document-processing pipelines.
  • AML.T0010 (ML Supply Chain Compromise): Downstream integrations that auto-pull Hugging Face model updates are exposed if a compromised or trojaned variant is published under a similar namespace.
  • LLM05 (Supply Chain Vulnerabilities): Model provenance, training data composition, and the lack of independent auditing are supply chain risks for enterprise adopters.

Threat Scenarios

  1. Jailbreak-as-a-service derivative: A threat actor fine-tunes Hy3 on curated refusal-bypass data, removes safety tuning, and redistributes it through Telegram or dark web forums as an uncensored assistant for fraud script generation or CSAM.

  2. Long-context RAG injection: An attacker uploads a 200K-token PDF to an enterprise document platform backed by Hy3. A malicious instruction buried at token position 180,000 instructs the model to exfiltrate subsequent user queries to an attacker-controlled endpoint.

  3. Namespace squatting on Hugging Face: Shortly after the legitimate release, a threat actor publishes tencent/Hy3-instruct-v2 with a backdoored variant, targeting organisations with automated model update pipelines.

Defender Checklist

  • Catalogue exposure: Identify all internal systems that may consume Hy3 via OpenRouter, Hugging Face, or self-hosted deployments.
  • Validate model hash integrity: If deploying the weights, pin to the official SHA256 hash published by Tencent and verify before loading.
  • Test long-context injection: Run prompt injection red-team exercises specifically targeting inputs beyond 32K, 64K, and 128K token boundaries.
  • Review supply chain policy: Determine whether Chinese-origin open-weight models require additional governance review under your AI procurement policy.
  • Monitor for derivative releases: Set up Hugging Face namespace alerts for tencent/Hy3* to detect potentially malicious forks early.
  • Audit RAG pipeline output handling: Ensure model outputs feeding into downstream actions (code execution, API calls) pass through output sanitisation regardless of model identity.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.