Fake OpenAI Privacy Filter Repo on Hugging Face Spread Infostealer Malware

Reached no. 1 trending before removal

News
Milan Stanojevic
Milan Stanojevic Shield
Windows Toubleshooting Expert
News
Reading time icon 2 min. read

Calendar icon Published on

hugging face malware

A malicious repository on Hugging Face impersonated OpenAI’s “Privacy Filter” project and briefly reached the platform’s top trending position before removal.

Researchers from HiddenLayer discovered the campaign on May 7 after identifying a fake repository using typosquatting techniques and copied OpenAI project descriptions nearly word-for-word. The repository reportedly reached around 244,000 downloads before removal, although researchers believe the number may have been artificially inflated.

They also observed suspicious engagement activity, with many likes and accounts appearing auto-generated to help push the repository into the No. 1 trending spot.

The malicious repository included a loader.py script disguised as legitimate AI-related Python code.

Once executed, the malware quietly disabled SSL verification, decoded a hidden URL, downloaded a malicious JSON payload, and launched invisible PowerShell commands in the background.

The PowerShell stage then downloaded a start.bat batch file, which attempted privilege escalation and downloaded the final malware payload known as “sefirah.”

Researchers said the malware also added Microsoft Defender exclusions before deploying the infostealer.

Infostealer targeted passwords, wallets, and tokens

The final payload was a Rust-based infostealer designed to harvest large amounts of sensitive information from infected systems.

Researchers said the malware targeted browser cookies, passwords, session tokens, encryption keys, Discord databases and tokens, cryptocurrency wallets and browser wallet extensions, SSH credentials, FTP and VPN credentials, sensitive local files, and wallet seed phrases.

The malware also collected system information and captured screenshots across multiple monitors.

According to researchers, the stolen data was exfiltrated to recargapopular[.]com.

Malware included anti-analysis protections

The payload included extensive anti-analysis and anti-debugging protections designed to avoid detection in research environments.

Researchers identified virtual machine detection, sandbox detection, and debugger checks inside the malware.

HiddenLayer also discovered related malicious repositories and infrastructure overlaps tied to npm typosquatting campaigns and previously observed WinOS 4.0 malware distribution activity.

Researchers urge affected users to rotate credentials

Researchers recommend fully reimaging infected systems instead of attempting manual cleanup.

Affected users should also rotate all credentials, invalidate browser sessions and tokens, and replace cryptocurrency wallets and recovery seed phrases.

This is not the first time threat actors have abused popular AI tools and repositories to distribute malware. Similar campaigns previously used fake Claude AI downloads and malware disguised as leaked Claude Code on GitHub.

Separately, suspected state-sponsored hackers were recently linked to espionage activity involving Microsoft Teams.

Via Bleeping Computer

More about the topics: malware, OpenAI

Milan Stanojevic

Milan Stanojevic Shield

Windows Toubleshooting Expert

Milan has been enthusiastic about technology ever since his childhood days, and this led him to take interest in all PC-related technologies. He's a PC enthusiast and he spends most of his time learning about computers and technology. Before joining WindowsReport, he worked as a front-end web developer. Now, he's one of the Troubleshooting experts in our worldwide team, specializing in Windows errors & software issues.

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages