A fake repository impersonating OpenAI’s Privacy Filter model reached the #1 trending spot on the Hugging Face AI platform, amassing approximately 244,000 downloads in under 18 hours before its removal. The malware delivered a sophisticated infostealer designed to harvest browser passwords, Discord tokens, cryptocurrency wallet seed phrases, and SSH keys from Windows machines, then exfiltrate the data to attacker-controlled servers.
A malicious Hugging Face repository impersonating OpenAI‘s Privacy Filter model surged to the top of the platform’s trending page. The fake account, named “Open-OSS,” copied the model card word-for-word and instructed users to run a file called start.bat on Windows.
The campaign used bot accounts to artificially inflate its social proof, with 657 of its 667 likes coming from auto-generated accounts. HiddenLayer, the AI security firm that identified the threat, detailed its six-stage attack chain.
The malware began by displaying fake training output to appear legitimate while secretly disabling security checks. It then fetched encoded commands from a public JSON paste site to download the next stage from a domain mimicking a blockchain analytics API.
The final payload was a custom-built Rust infostealer that executed with SYSTEM-level privileges and added itself to Windows Defender’s exclusions list. It comprehensively harvested data from Chrome and Firefox browsers, Discord, cryptocurrency wallets, and SSH credentials before sending compressed bundles to the attackers.
This incident is part of a broader pattern, with six additional malicious repositories impersonating models like Qwen3 and DeepSeek identified by HiddenLayer. The infrastructure, a domain called api.eth-fastscan.org, was also observed hosting separate malware.
Individuals who downloaded and ran files from the repository should treat their Windows machine as fully compromised. They are advised to move any cryptocurrency funds to a new wallet from a clean device and change all stored credentials.
