Fake OpenAI Privacy Filter Repo on Hugging Face Distributes Infostealer
A malicious repository impersonating OpenAI's 'Privacy Filter' on Hugging Face has been used to distribute a Rust-based information stealer to over 244,000 users.
A malicious repository on the Hugging Face platform, masquerading as an official OpenAI project, has been identified as a vector for distributing information-stealing malware. The repository, named "Open-OSS/privacy-filter," impersonated OpenAI's legitimate "privacy-filter" model to trick users into downloading a Rust-based infostealer.
The fake repository successfully reached the top of the Hugging Face trending list, accumulating over 244,000 downloads before being addressed [The Hacker News]. This incident highlights the risks associated with trusting third-party repositories and the importance of verifying the authenticity of open-source models and code.
Users who may have interacted with the malicious repository are advised to scan their systems for signs of compromise and change any potentially exposed credentials. Hugging Face and other open-source platforms are encouraged to implement stricter verification processes to prevent the distribution of malicious content.