The malicious Hugging Face repository made its way onto the platform’s trending list by impersonating OpenAI’s privacy filter’s openweight model and delivering a Rust-based information stealer to Windows users.
The project, named Open-OSS/privacy-filter, pretended to be the legitimate version released by OpenAI late last month (openai/privacy-filter) and copied the entire description verbatim to trick unsuspecting users into downloading it. Access to this malicious model was then disabled by Hugging Face.
Privacy filters were announced by artificial intelligence (AI) companies in April 2026 as a way to detect and redact personally identifiable information (PII) in unstructured text with the goal of building strong privacy and security protections into applications.
“The repository was typosquatting OpenAI’s legitimate privacy filter release, copying its model card almost verbatim, and shipping a loader.py file that fetched and executed the infostealer malware on Windows machines,” the HiddenLayer research team said in a report released last week.
The malicious project instructs the user to clone the repository and run a batch script (‘start.bat’) on Windows or a Python script (‘loader.py’) on Linux or macOS systems to configure all required dependencies and start the model.
When the Python script is launched, it triggers malicious code that is used to disable SSL validation, decode Base64-encoded URLs hosted in JSON Keeper, and extract commands that are passed to PowerShell for subsequent execution. JSON Keeper, a public JSON pasting service, can be used as a dead drop resolver to allow attackers to switch payloads on the fly without changing the repository.
A PowerShell command is used to download a batch script (‘api.eth-fastscan’) from a remote server.[.]This batch script acts as a second-stage downloader that prepares the environment by elevating privileges through a User Account Control (UAC) prompt, configuring Microsoft Defender Antivirus exclusions, downloading the next-stage binaries from the same domain, and setting up a scheduled task to launch a PowerShell script that runs the executable.
Once the scheduled task is launched, the malware waits 2 seconds before deleting itself. The final stage is an information stealer designed to take screenshots and collect data from Discord, cryptocurrency wallets and extensions, system metadata, files such as FileZilla settings and wallet seed phrases, and web browsers based on the Chromium and Gecko rendering engines.
“Despite using a scheduled task, no persistence is established at this stage. The task is destroyed before rebooting. It is used as a one-shot SYSTEM context launcher,” HiddenLayer explained.
The stealer also runs checks to detect debuggers and sandboxes to ensure they are not running in a virtual machine, and attempts to evade behavioral detection by disabling the Windows Anti-Malware Scanning Interface (AMSI) and Event Tracing for Windows (ETW). The stolen data is leaked to ‘recargapopular’ in JSON format.[.]com” domain.
Before being deactivated, the model reportedly received around 244,000 downloads and 667 likes within 18 hours, reaching number one trending on Hugging Face, but it is suspected that these numbers were artificially inflated to give the repository credibility and encourage users to download it.
Further analysis of the activity revealed six more repositories with similar Python loaders for deploying stealers.
anthfu/Bonsai-8B-gguf anthfu/Qwen3.6-35B-A3B-APEX-GGUF anthfu/DeepSeek-V4-Pro anthfu/Qwopus-GLM-18B-Merged-GGUF anthfu/Qwen3.6-35B-A3B-Claude-4.6-Opus-Reasoning-Distilled-GGUF anthfu/supergemma4-26b-uncensored-gguf-v2
HiddenLayer said it also observed “API.”[.]ether fast scan[.]org’ domain is used to serve another Windows executable file (‘o0q2l47f.exe’) that is sent to ‘welovechinatown’.[.]info” is a command and control (C2) server previously used in a campaign that utilized a malicious npm package named trevlo to distribute ValleyRAT (aka Winos 4.0).
Panther noted last month that “the package’s post-installation hook silently runs an obfuscated JavaScript loader that generates base64-encoded PowerShell commands to fetch and execute a second-stage PowerShell script from attacker-controlled infrastructure.”
“The script downloads and executes the Winos 4.0 stager binary (‘CodeRun102.exe’), complete with a complete bypass, running in a hidden window, removing the zone identifier, and detaching the process. ”
This attack is notable for the fact that it represents a new initial access vector for ValleyRAT, a modular remote access Trojan known to be distributed via phishing emails and search engine optimization (SEO) poisoning. The use of ValleyRAT is believed to be solely by a Chinese hacker group called Silver Fox.
“Shared infrastructure suggests these campaigns may be related and likely part of broader supply chain activity targeting the open source ecosystem,” HiddenLayer said.
Source link
