Fake OpenAI Repository on Hugging Face Distributes Infostealer Malware, Reaches Top Downloads
- May 11
- 3 min read
Key Findings
Malicious repository impersonating OpenAI's Privacy Filter reached #1 trending on Hugging Face with 244,000 downloads in 18 hours before removal
Typosquatting attack used copied model descriptions and fake AI code to distribute Rust-based information stealer malware
Multi-stage attack chain included privilege escalation, Windows Defender evasion, and credential theft targeting browsers, wallets, and Discord
At least six additional malicious repositories using similar loader infrastructure discovered on platform
Infrastructure overlap suggests possible connection to Chinese threat group Silver Fox and ValleyRAT malware campaigns
Download counts and engagement metrics appear artificially inflated to establish false legitimacy
Background
Hugging Face serves as a central repository where researchers and developers share AI models, datasets, and machine learning tools. The platform's popularity and trust make it an attractive target for adversaries seeking to distribute malware at scale. OpenAI's Privacy Filter, a legitimate tool released in April 2026 for detecting and redacting personally identifiable information in unstructured text, became the basis for this social engineering campaign.
Attack Methodology
The malicious repository named Open-OSS/privacy-filter replicated the legitimate openai/privacy-filter project by copying its model card verbatim and mimicking its directory structure. Users following the provided instructions would clone the repository and execute either a batch script for Windows or Python loader for Linux and macOS systems.
The loader.py file contained obfuscated malicious code disguised within what appeared to be legitimate AI initialization routines. The script disabled SSL certificate verification to bypass security checks, then decoded a Base64-encoded URL hosted on JSON Keeper, a public paste service used as an intermediary dead drop resolver.
Payload Delivery Chain
Once triggered, the loader fetched a PowerShell command that downloaded a batch script from api.eth-fastscan[.]org. This second stage performed privilege escalation through a User Account Control prompt, added Microsoft Defender Antivirus exclusions for the malware, and downloaded the final-stage binary before establishing a scheduled task to execute it.
The final payload was a Rust-based information stealer designed to operate with SYSTEM-level privileges. Rather than establishing persistence, it executed as a one-shot infection, stealing and exfiltrating data before the scheduled task self-destructed.
Information Theft Capabilities
The stealer targeted comprehensive credential and sensitive data including browser information from Chromium and Gecko-based browsers, Discord authentication tokens and databases, cryptocurrency wallets and browser extensions, SSH and VPN credentials, FileZilla configurations containing FTP credentials, wallet seed phrases, and system metadata. The malware also captured multi-monitor screenshots for additional reconnaissance.
Data was compressed and sent to recargapopular[.]com in JSON format. The malware included detection evasion features checking for virtual machines, sandboxes, debuggers, and attempted to disable Windows Antimalware Scan Interface and Event Tracing for Windows to avoid triggering security alerts.
Broader Campaign Infrastructure
HiddenLayer researchers uncovered six additional malicious repositories using identical loader infrastructure, including projects named after popular models like Bonsai-8B, Qwen, and DeepSeek variants. Analysis revealed the api.eth-fastscan[.]org domain serving different executables that beaconed to welovechinatown[.]info, a command-and-control server previously linked to ValleyRAT distribution campaigns.
This infrastructure overlap connected the Hugging Face campaign to an earlier malicious npm package named trevlo that delivered ValleyRAT stagers. The shared C2 infrastructure and malware families suggest these campaigns may be coordinated or conducted by the same threat actor.
Attribution and Context
ValleyRAT is exclusively attributed to Silver Fox, a Chinese hacking group known for distributing malware via phishing and SEO poisoning. The use of this malware through multiple supply chain vectors represents an expansion of the group's attack surface, leveraging trusted AI model repositories as infection vectors.
Remediation Recommendations
Users who downloaded from the malicious repository should reimage their machines, rotate all stored credentials, replace cryptocurrency wallets and seed phrases, and invalidate all browser sessions and authentication tokens. Organizations should review access logs for Hugging Face downloads and monitor affected systems for command-and-control communications to the identified C2 servers.
Sources
https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html
https://www.bleepingcomputer.com/news/security/fake-openai-repository-on-hugging-face-pushes-infostealer-malware/
https://hoploninfosec.com/fake-openai-hugging-face-infostealer-malware
https://www.reddit.com/r/SecOpsDaily/comments/1t87fd7/fake_openai_repository_on_hugging_face_pushes/

Comments