VYPR
breachPublished May 9, 2026· Updated May 17, 2026· 1 source

Fake OpenAI Repository on Hugging Face Distributes Infostealer Malware

A malicious repository impersonating an OpenAI project on Hugging Face reached the platform's trending list, deceiving users into downloading a Rust-based infostealer.

A malicious repository on Hugging Face, which briefly climbed to the platform's top trending spot, was found distributing information-stealing malware to Windows users. The repository, identified as Open-OSS/privacy-filter, was designed to impersonate a legitimate OpenAI project. According to BleepingComputer, the repository managed to accumulate 244,000 downloads before being removed by Hugging Face following reports of its malicious nature.

The attack utilized a technique known as typosquatting, where the threat actor copied the model card of OpenAI’s actual "Privacy Filter" project to gain credibility. HiddenLayer researchers discovered that the repository included a loader.py script that appeared to contain harmless AI-related code. In reality, the script was designed to disable SSL verification, decode a base64-encoded URL, and execute a hidden PowerShell command. This command initiated a multi-stage infection process, downloading a batch file (start.bat) that performed privilege escalation and added the final payload to Microsoft Defender’s exclusion list BleepingComputer.

The final payload delivered by this campaign is a Rust-based infostealer known as "sefirah." Once active, the malware targets a wide array of sensitive information, including browser cookies, saved passwords, Discord tokens, cryptocurrency wallet keys, and credentials for SSH, FTP, and VPN clients. The malware also captures screenshots and exfiltrates the stolen data to a command-and-control (C2) server located at recargapopular[.]com BleepingComputer.

To ensure persistence and evade detection, the malware includes sophisticated anti-analysis features. It actively checks for the presence of virtual machines, sandboxes, debuggers, and various analysis tools. While the repository showed 244,000 downloads and 667 likes, researchers believe these figures were likely artificially inflated, as many of the accounts that engaged with the repository appear to be auto-generated BleepingComputer.

HiddenLayer researchers noted that the infrastructure used in this attack overlaps with other malicious repositories and a separate npm typosquatting campaign that distributed the "WinOS 4.0" implant. Users who may have downloaded files from the compromised repository are urged to take immediate action, including reimaging their machines, rotating all stored credentials, replacing cryptocurrency wallets, and invalidating active browser sessions and tokens BleepingComputer.

This incident highlights the ongoing challenge of securing collaborative AI platforms against supply chain attacks. As developers increasingly rely on shared repositories for machine learning models and datasets, threat actors are finding new ways to exploit the trust inherent in these communities. This event follows a pattern of previous abuses of the Hugging Face platform, underscoring the need for users to exercise extreme caution when downloading and executing code from third-party repositories, regardless of their perceived popularity or branding.

Synthesized by Vypr AI
Fake OpenAI Repository on Hugging Face Distributes Infostealer Malware · VYPR