Fake OpenAI Privacy Filter Repo on Hugging Face Delivers Malware to 244K Users
A malicious Hugging Face repository impersonating OpenAI's Privacy Filter model successfully infected over 244,000 users with a Rust-based information stealer.

A malicious repository on the Hugging Face platform successfully impersonated OpenAI’s "Privacy Filter" model, tricking users into downloading an information-stealing malware payload. The fraudulent repository, titled Open-OSS/privacy-filter, reached the number one spot on the platform's trending list, accumulating approximately 244,000 downloads and 667 likes in just 18 hours before it was disabled by Hugging Face The Hacker News.
The attack utilized a sophisticated supply chain mechanism to compromise Windows systems. By copying the legitimate model’s description verbatim, the attackers created a facade of authenticity. The repository included a loader.py script that, when executed, disabled SSL verification and decoded a Base64-encoded URL hosted on the JSON Keeper service. This URL provided a command for PowerShell to download a secondary batch script from api.eth-fastscan[.]org The Hacker News.
Once the secondary script was active, it performed several malicious actions, including triggering a User Account Control (UAC) prompt for privilege escalation and configuring Microsoft Defender Antivirus exclusions to avoid detection. The malware then established a scheduled task to execute the final payload—a Rust-based information stealer—before deleting itself to minimize its footprint. The stealer was designed to harvest sensitive data, including browser information, cryptocurrency wallet seed phrases, Discord credentials, and system metadata, which were then exfiltrated to recargapopular[.]com The Hacker News.
To evade security analysis, the malware included checks to detect debuggers, sandboxes, and virtual machines. It also attempted to disable the Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW). Researchers at HiddenLayer, who discovered the campaign, noted that the high download and like counts were likely artificially inflated to build false trust among the AI community The Hacker News.
The threat extended beyond the single impersonated repository. HiddenLayer identified six additional repositories under the user anthfu that utilized the same malicious loader pattern to distribute the stealer. These repositories masqueraded as various AI models, such as Qwen3.6-35B-A3B-APEX-GGUF and DeepSeek-V4-Pro. Furthermore, the infrastructure associated with api.eth-fastscan[.]org was observed serving other malicious binaries, suggesting a broader, ongoing campaign The Hacker News.
This incident highlights the growing risks associated with the AI supply chain, where the popularity of open-weight models is being weaponized to distribute malware. As developers increasingly rely on platforms like Hugging Face to integrate pre-trained models into their applications, the potential for typosquatting and social engineering remains a significant concern. Users are advised to exercise extreme caution when cloning repositories and executing scripts from untrusted sources, even when they appear to be trending or highly rated The Hacker News.