Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads

Summary

A malicious Hugging Face repository impersonated OpenAI's legitimate Privacy Filter model, reaching #1 on the platform's trending list with 244,000 downloads in 18 hours. The typosquatted project included a loader script that deployed a Rust-based information stealer targeting Windows users, harvesting Discord credentials, cryptocurrency wallets, browser data, and system metadata. HiddenLayer researchers identified six additional malicious repositories using similar Python loaders to distribute the same infostealer.

Full text

Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads Ravie LakshmananMay 11, 2026Supply Chain Attack / Threat Intelligence A malicious Hugging Face repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. The project, named Open-OSS/privacy-filter, masqueraded as its legitimate counterpart released by OpenAI late last month (openai/privacy-filter), including copying the entire description verbatim to trick unsuspecting users into downloading it. Access to the malicious model has since been disabled by Hugging Face. Privacy Filter was unveiled in April 2026 by the artificial intelligence (AI) company as a way to detect and redact personally identifiable information (PII) in unstructured text with an aim to incorporate strong privacy and security protections into applications. "The repository had typosquatted OpenAI's legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a loader.py file that fetches and executes infostealer malware on Windows machines," the HiddenLayer Research Team said in a report published last week. The malicious project instructs users to clone the repository and run a batch script ("start.bat") for Windows or a Python script ("loader.py") for Linux or macOS systems to configure all necessary dependencies and start the model. Once launched, the Python script triggers malicious code responsible for disabling SSL verification, decoding a Base64-encoded URL hosted on JSON Keeper, and using it to extract a command that's passed to PowerShell for subsequent execution.The use of JSON Keeper, a public JSON paste service, as a dead drop resolver allows the attackers to switch payloads on the fly without the need for modifying the repository. The PowerShell command is used to download a batch script from a remote server ("api.eth-fastscan[.]org") and launch it using "cmd.exe."The batch script functions as a second-stage downloader that prepares the environment by elevating its privileges by means of a User Account Control (UAC) prompt, configuring Microsoft Defender Antivirus exclusions, downloading the next-stage binary from the same domain, and setting up a scheduled task that launches a PowerShell script to run the executable. Once the scheduled task is launched, the malware waits for two seconds before deleting itself. The final stage is an information stealer that's designed to take screenshots and harvest data from Discord, cryptocurrency wallets and extensions, system metadata, files such as FileZilla configurations and wallet seed phrases, and web browsers based on the Chromium and Gecko rendering engines. "Despite using a scheduled task, this stage establishes no persistence: the task is destroyed before any reboot. It is being used as a one-shot SYSTEM-context launcher," HiddenLayer explained. The stealer also runs checks to detect debuggers and sandboxes, ascertains it's not running in a virtual machine, and tries to disable Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) to evade behavioural detection. The stolen data is exfiltrated in JSON format to the "recargapopular[.]com" domain. Prior to it being disabled, the model is said to have reached the #1 trending position on Hugging Face with approximately 244,000 downloads and 667 likes within 18 hours. It's suspected that these numbers were artificially inflated to give the repository an illusion of trust and get users to download it. Further analysis of the activity has unearthed six more repositories that feature a similar Python loader to deploy the stealer - anthfu/Bonsai-8B-gguf anthfu/Qwen3.6-35B-A3B-APEX-GGUF anthfu/DeepSeek-V4-Pro anthfu/Qwopus-GLM-18B-Merged-GGUF anthfu/Qwen3.6-35B-A3B-Claude-4.6-Opus-Reasoning-Distilled-GGUF anthfu/supergemma4-26b-uncensored-gguf-v2 HiddenLayer said it also observed the "api[.]eth-fastscan[.]org" domain being used to serve a different Windows executable ("o0q2l47f.exe") that beacons out to "welovechinatown[.]info," a command-and-control (C2) server previously put to use in a campaign in which a malicious npm package named trevlo was leveraged to deliver ValleyRAT (aka Winos 4.0).The Node.js library was downloaded more than 2,300 times after it was published by a user named "titaniumg" on April 4, 2026, although it's not clear if the download count was artificially boosted using automated processes. It's no longer available on npm. "The package's postinstall hook silently executes an obfuscated JavaScript loader that spawns a base64-encoded PowerShell command, which in turn fetches and executes a second-stage PowerShell script from attacker-controlled infrastructure," Panther noted last month. "That script downloads and runs a Winos 4.0 stager binary ("CodeRun102.exe") with full evasion, complete with hidden window execution, Zone Identifier removal, and process detachment." The attack is noteworthy for the fact that it represents a new initial access vector for ValleyRAT, a modular remote access trojan that's known to be distributed via phishing emails and search engine optimization (SEO) poisoning. The use of ValleyRAT is exclusively attributed to a Chinese hacking group dubbed Silver Fox. "The shared infrastructure suggests these campaigns are possibly linked and likely part of a broader supply chain operation targeting open-source ecosystems," HiddenLayer said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, Hugging Face, Malware, OpenAI, powershell, supply chain attack, Threat Intelligence, windows security ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage

Indicators of Compromise

• domain — api.eth-fastscan.org
• domain — recargapopular.com
• domain — jsonkeeper.com
• malware — Privacy Filter Infostealer

Entities