A fake repository on Hugging Face posing as OpenAI’s “Privacy Filter” project was found distributing information-stealing malware targeting Windows users, raising fresh concerns around AI platform security and malicious model hosting.
The malicious repository, identified as Open-OSS/privacy-filter, briefly reached the #1 trending position on Hugging Face and reportedly recorded around 244,000 downloads before being removed following security reports.
Researchers from cybersecurity company HiddenLayer discovered the campaign on May 7 after noticing that the repository closely copied OpenAI’s legitimate Privacy Filter project, including its model card and branding. According to the researchers, the repository contained a malicious Python file named “loader.py” designed to secretly download and execute malware on Windows systems.
The script reportedly included fake AI-related code to appear legitimate while secretly disabling SSL verification, decoding a hidden external URL, and downloading a malicious PowerShell command through a JSON payload. The command then downloaded a batch file named “start.bat,” which escalated privileges, bypassed Microsoft Defender protections, and executed the final malware payload known as “sefirah.”
The final payload was identified as a Rust-based infostealer capable of stealing sensitive information including browser cookies, saved passwords, encryption keys, Discord tokens, cryptocurrency wallets, SSH and VPN credentials, FTP configurations, local files, wallet seeds, system information, and even multi-monitor screenshots.
Researchers said the stolen data was compressed and transmitted to a command-and-control server linked to the campaign. HiddenLayer also highlighted that the malware contained advanced anti-analysis techniques designed to detect virtual machines, sandboxes, debuggers, and security analysis tools to avoid detection.
The exact number of affected users remains unclear. Researchers noted that many of the 667 accounts that liked the repository appeared to be auto-generated, while the reported download numbers may also have been artificially inflated.
Investigators further linked the malicious infrastructure to other repositories and an npm typosquatting campaign associated with the WinOS 4.0 malware implant.
Users who downloaded files from the malicious repository have been advised to reimage affected systems, change stored credentials, replace cryptocurrency wallets and seed phrases, and invalidate browser sessions and tokens immediately.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
