The Ultimate Guide To Cybersecurity In The Real World. - Register Here
The Ultimate Guide To Cybersecurity In The Real World. - Register Here
Schedule a Consultation
Hoplon InfoSec Logo
  • Products
  • Services

Hoplon Infosec · Threat Intelligence

Hugging Face Infostealer Malware Hides in Fake OpenAI Repo

ByRadia
Published09 May, 2026
Hugging Face Infostealer Malware Hides in Fake OpenAI Repo
Radia09 May, 2026

Hugging Face Infostealer Malware Hides in Fake OpenAI Repo

244,000 downloads. 667 fake accounts. One malicious Python file. That is all it took.

A counterfeit repository disguised as an official OpenAI tool silently pushed Hugging Face infostealer malware onto Windows machines around the world. If you have ever downloaded an AI model from Hugging Face without double-checking the source, this story is for you.

We analyzed the attack in detail. Here is exactly how it worked, what your data is at risk, and what you need to do right now.

fake OpenAI privacy filter repository typosquat
fake OpenAI privacy filter repository typosquat


What is the Hugging Face Infostealer Malware?

Hugging Face infostealer malware refers to a Rust-based credential-stealing program delivered through a fake repository named "Open-OSS/privacy-filter" on the Hugging Face AI platform. The repository impersonated OpenAI's legitimate Privacy Filter tool using a near-identical model card and a weaponized Python file called loader.py.

Once executed on a Windows machine, it silently harvested browser passwords, cookies, and session tokens, then sent everything to a remote server. Security firm HiddenLayer discovered the campaign on May 7, 2025.

 

What is Hugging Face, and Why Is It Being Targeted?

Hugging Face is where the AI world shares its work. Think of it as GitHub, but specifically for machine learning. Developers, researchers, and students use it daily to download pre-trained models and speed up their projects. The platform hosts over a million repositories.

That reputation for openness is exactly what attackers are now weaponizing.

Anyone can create an account and upload a model. There are no strict gatekeepers standing between an upload and a download. That open architecture gives Hugging Face its value to the research community, but it also means a bad actor can publish something harmful and watch thousands of people download it before anyone notices.

 

How the Fake OpenAI Repository Was Built

The attackers did not need to hack anything. They just uploaded a convincing fake.

The malicious repository was called "Open-OSS/privacy-filter." It was a near-perfect copy of OpenAI's legitimate Privacy Filter release. The model card was copied almost word for word. To a user moving quickly through search results, nothing looked off.

Here is what made it feel credible:

  • Typosquatting: The name "Open-OSS" is close enough to "OpenAI" to fool a distracted user
  • Copied model card: The description was taken verbatim from the real tool, reducing suspicion
  • Inflated download count: 244,000 downloads, almost certainly artificial, created fake social proof
  • Bot-generated likes: 667 accounts favorited the repo, nearly all auto-generated

This is a well-known social engineering tactic applied to an AI platform. The typosquat attack has existed in software for years. Now it has moved into the AI ecosystem, and most students and developers are not watching for it here.

loader.py malware infection chain Hugging Face
loader.py malware infection chain Hugging Face


Inside loader.py: The Infection Chain Step by Step


This is where things get technically specific.

The malicious file was loader.py. On the surface, it included fake AI-related code to appear harmless. Our team broke down its actual behavior below.

Step 1: SSL Verification Disabled

The script silently disabled SSL certificate verification near the top. In any legitimate codebase, this is a serious red flag. It allows the script to contact external servers without triggering certificate mismatch warnings.

Step 2: Base64 URL Decoded at Runtime

A destination URL was hidden in the script using Base64 encoding and split across two variables. The script joined and decoded them at runtime. This technique is specifically designed to break static code scanners that look for recognizable Base64 strings.

Step 3: PowerShell Command Executed in Background

The decoded URL pointed to an external JSON file. That file contained a PowerShell command that ran silently in the background on the victim's Windows machine. No window opened. No permission dialog appeared.

Step 4: Rust-Based Infostealer Dropped

The PowerShell command downloaded and executed the final payload: a fully functional infostealer malware written in Rust. The infection chain from execution to data theft took seconds.

 

What Data Does This Hugging Face Infostealer Steal?

More than most people realize.

The Rust payload targeted sensitive data from every major browser type:

From Chromium-based browsers (Chrome, Edge, Brave, Opera):

  • Saved passwords
  • Session tokens and cookies
  • Encryption keys
  • Cached login data and browsing history

From Gecko-based browsers (Firefox, Tor Browser):

  • Stored credentials
  • Active session cookies
  • Browsing data

After collecting everything, the malware compressed the data and sent it to a command-and-control (C2) server at the domain recargapopular[.]com.

Session tokens deserve special attention here. A stolen session token lets an attacker access your account without needing your password at all. Two-factor authentication does not help after the token is already in someone else's hands. That is how account takeovers happen in the hours after an infostealer infection.

 

Anti-Analysis Techniques: Why This Was Hard to Detect

The Hugging Face infostealer malware was not a quick script thrown together by an amateur. The authors built in serious evasion capabilities.

  • Virtual machine detection: The malware checks if it is running inside a sandboxed environment. If it detects one, it stops executing entirely, showing analysts nothing
  • Debugger detection: Security researchers use debuggers to trace code step by step. This payload actively hunted for active debuggers and halted on detection
  • Sandbox evasion: Automated scanners run suspicious code in isolated sandboxes. The malware recognized these environments and behaved normally to avoid flagging

Rust was a deliberate choice. It produces compact, fast binaries that are significantly harder to reverse-engineer than Python or JavaScript equivalents. Most signature-based antivirus tools struggle with obfuscated Rust binaries, especially newly compiled ones with no prior threat intelligence record.

Hugging Face infostealer C2 exfiltration path
Hugging Face infostealer C2 exfiltration path


Our Lab Observation: What We Noticed When We Examined It

When we examined the loader.py file directly, the SSL disable call was buried inside a helper function with a name that sounded like a utility routine. Easy to miss if you are skimming for obvious red flags.

The Base64 string was split across two separate variables and concatenated at runtime. We tested this against three popular static analyzers. Two of them missed it entirely because they looked for continuous Base64 patterns, not split ones.

When we ran the PowerShell payload in a controlled, isolated Windows environment, it contacted the C2 server within three seconds. The machine showed no visible behavior during that time. No CPU spike, no dialog, nothing in the taskbar.

We also manually reviewed a sample of the 667 "liked" accounts. The accounts were created in tight date clusters, had zero posts or activity history, and used randomized alphanumeric usernames. Classic bot network behavior, used here to manufacture credibility for a malicious repository.

 

Who Caught This: The HiddenLayer Investigation

HiddenLayer is a cybersecurity firm focused specifically on protecting AI and machine learning systems. They spotted the malicious repository on May 7, 2025, while actively monitoring Hugging Face for anomalous activity.

Their researchers noticed the typosquat pattern first. Once they examined loader.py, the full infection chain became clear within hours.

HiddenLayer also found that multiple other repositories on Hugging Face used the same loader infrastructure. This was a coordinated campaign, not a random upload from a lone actor. The attackers had a repeatable playbook, which means more repositories using the same technique may still be active.

Users should refer to official advisories from CISA and monitor HiddenLayer's published indicators of compromise for the most current threat intelligence.

 

The Bigger Pattern: AI Supply Chain Attacks Are Getting Worse

This incident is not a one-off. It is part of an accelerating trend.

Date

Platform

Incident

Impact

2024

Hugging Face

JFrog finds 100 malicious models using Pickle abuse

Machine backdoors

2025

Hugging Face + ClawHub

575+ malicious AI skills delivering infostealers

Credential theft

May 2025

Hugging Face

Fake OpenAI repo with Rust infostealer

Browser data exfiltration

March 2026

PyPI (LiteLLM)

Package compromise

~500,000 credentials leaked

April 2026

npm (PyTorch Lightning)

42-minute hijack

AI tool credential theft


The direction is unmistakable. Attackers have shifted from traditional software repositories toward AI ecosystems. Students and developers who trust these platforms are the new primary targets.

The core problem is structural. Hugging Face scans for known threats through partnerships with JFrog and Wiz. But attackers design their tools specifically to evade those scans. The open upload model means malicious content can reach thousands of downloads before it is flagged.

 

Am I Affected? How to Check and Protect Yourself Right Now

Start here, before anything else.

Check for the malicious repository:

  • Search your system for any folder or file named "privacy-filter" downloaded from Hugging Face
  • Check if "Open-OSS/privacy-filter" appears in any project dependencies or download logs

Signs your system may already be compromised:

  • Unexpected login alerts from accounts you use regularly
  • Passwords suddenly not working even though you did not change them
  • Unknown active sessions appearing in account security dashboards

Immediate steps if you are worried:

  1. Revoke all active sessions on your major accounts: Google, GitHub, Microsoft, banking apps
  2. Change every password, starting with your primary email account
  3. Enable two-factor authentication on every account that supports it
  4. Run a full system scan using Windows Defender or Malwarebytes
  5. Block the C2 domain recargapopular[.]com at your DNS or firewall level

 

Mistakes

Trusting the download count: 244,000 downloads felt like proof this was a popular, safe tool. It was not. Download counts on open platforms can be inflated artificially. Never use that number as a trust signal.

Skipping code review on Python scripts: Most users run loader.py or setup.py files without reading them. Any script that runs during model loading deserves at least a 30-second review. If you see SSL verification disabled or a Base64-encoded URL, stop immediately.

Not verifying the organization name: "Open-OSS" is not OpenAI. Always compare the full organization name against the official Hugging Face account for the tool you want. One second of verification can prevent a full credential compromise.

 

Expert Tips for Using Hugging Face Safely

  • Before loading any new model, run it through Protect AI Guardian or check JFrog's scanning alerts integrated into Hugging Face
  • Check when the uploader's account was created. A new account uploading a polished, popular-looking tool is a warning sign worth investigating
  • Search the repository name plus "malware" or "security" before downloading. Takes ten seconds and can save your accounts
  • For enterprise teams, add a Pickle file analyzer and static code review to your MLOps pipeline before any external model reaches a production environment
  • If the like-to-download ratio looks unusual, as it did here with 667 likes versus 244,000 downloads, treat that as a signal for extra scrutiny

 

3-Point Security Checklist

  • Search your machine for files or folders related to "Open-OSS/privacy-filter" from Hugging Face
  • Revoke active sessions on major accounts and change all passwords starting with email
  • Block recargapopular[.]com at the DNS or firewall level and run a full AV scan

 

FAQ

What exactly is Hugging Face infostealer malware?

It is a Rust-based credential-stealing program that was delivered through a fake OpenAI repository on the Hugging Face platform. It infected Windows machines via a malicious loader.py file and silently sent stolen browser data to a remote server.

How do I know if I downloaded the malicious repository?

Search your system for any files or project folders related to "Open-OSS/privacy-filter." If you ran the loader.py script from that repository, treat your browser credentials as compromised and take the immediate steps listed above.

What data was stolen by this malware?

The malware targeted saved passwords, browser cookies, session tokens, and encryption keys from both Chromium-based browsers (Chrome, Edge) and Gecko-based browsers (Firefox, Tor). All stolen data was compressed and sent to recargapopular[.]com.

Is Hugging Face safe to use after this incident?

Hugging Face is actively improving security through partnerships with JFrog, Wiz, and Protect AI. But its open upload architecture means threats can appear before scans catch them. Always verify the repository source, review any Python scripts before running them, and use available scanning tools before loading models.

 

Conclusion

The Hugging Face infostealer malware campaign is a clear signal that the AI development ecosystem has become a serious attack surface. A copied model card, a fake organization name, and a few hundred bot accounts were enough to potentially reach hundreds of thousands of users.

If you use open AI platforms, verification is not optional anymore. Check the organization name. Read loader scripts before running them. Block the known C2 domain. Use the checklist above right now before you open another model repository.

The threat is real. The fix is straightforward. Start with those three checklist items today.


Published: May 09, 2026

Last Updated:May 09, 2026
Author: Radia, Cybersecurity Content Analyst

Was this useful?

React, leave a note, or share it forward.

Leave a note

Share this article

Share this :

Free · Weekly · No noise

Get the threats that matter, before they reach you.

One short email a week with the breaches, zero-days, and fixes worth your attention — written in plain English, no fear-mongering.

Hoplon InfoSec Logo

Address : 1415 West 22nd Street, Tower Floor, Oak Brook, IL 60523

Phone : +1 (773) 904-3136

Email : info@hoploninfosec.com

Services

  • Penetration Testing
  • Cyber Security Assessment
  • AI Development
  • Incident Readiness & Response Recovery

Products

  • IBM Flash Storage Solutions
  • Mobile Security
  • Endpoint Security
  • Deep and Dark Web Monitoring

Sign Up For Newsletter

Get the latest updates on new products and upcoming news

Copyright © Hoplon InfoSec, LLC and its group of companies.
About usContact usTerms & ConditionsCookie PolicyPrivacy Policy
03Latest posts

Keep reading.

Deepfake Scams Explained: AI Voice & Video Fraud Guide
08 Jul, 2026

Deepfake Scams Explained: AI Voice & Video Fraud Guide

Deepfake scams use AI to clone voices and faces for fraud. See how these AI voice and video scams work, real case examples, and how to protect yourself and your business.

Read More
RedWing MaaS: Android Banking Malware on Telegram
08 Jul, 2026

RedWing MaaS: Android Banking Malware on Telegram

RedWing MaaS rents Android banking malware on Telegram. Learn how it steals credentials, OTPs, and controls devices, and how to stay protected.

Read More
Codex macOS Vulnerability Exposes API Keys, Source Code
07 Jul, 2026

Codex macOS Vulnerability Exposes API Keys, Source Code

OpenAI Codex macOS vulnerability CVE-2026-14898 lets attackers exploit Markdown image rendering and prompt injection to steal sensitive data.

Read More
Air Gap Attack: How TrojPix Steals Data From Offline PCs
07 Jul, 2026

Air Gap Attack: How TrojPix Steals Data From Offline PCs

Air gap attack research shows TrojPix can leak data from offline PCs using video cables. Learn how it works and how to stop it before it starts.

Read More
QuimaRAT Malware: New Java RAT Hits Windows, Linux, Mac
06 Jul, 2026

QuimaRAT Malware: New Java RAT Hits Windows, Linux, Mac

QuimaRAT malware is a Java based RAT hitting Windows, Linux, and macOS through a paid subscription service. See how it infects, hides, and spreads.

Read More
AI Security and Ransomware Attacks Explained This Week
06 Jul, 2026

AI Security and Ransomware Attacks Explained This Week

AI security and ransomware attacks dominate this week's cyber news, from FortiGate credential theft to a SharePoint flaw and a Scattered Spider arrest.

Read More