The file delete button appears on Hugging Face repositories, for repositories that I do not own. It even appears when I’m logged out of Hugging Face.
Please double check RBAC on the backend, so that the attackers can’t delete other people’s repository files. Then fix the client-side code to hide the delete button when the user lacks the delete privilege.