Hugging Face Infostealer Malware Hides in Fake OpenAI Repo

244,000 downloads. 667 fake accounts. One malicious Python file. That is all it took.

A counterfeit repository disguised as an official OpenAI tool silently pushed Hugging Face infostealer malware onto Windows machines around the world. If you have ever downloaded an AI model from Hugging Face without double-checking the source, this story is for you.

We analyzed the attack in detail. Here is exactly how it worked, what your data is at risk, and what you need to do right now.

What is the Hugging Face Infostealer Malware?

Hugging Face infostealer malware refers to a Rust-based credential-stealing program delivered through a fake repository named "Open-OSS/privacy-filter" on the Hugging Face AI platform. The repository impersonated OpenAI's legitimate Privacy Filter tool using a near-identical model card and a weaponized Python file called loader.py.

Once executed on a Windows machine, it silently harvested browser passwords, cookies, and session tokens, then sent everything to a remote server. Security firm HiddenLayer discovered the campaign on May 7, 2025.

 

What is Hugging Face, and Why Is It Being Targeted?

Hugging Face is where the AI world shares its work. Think of it as GitHub, but specifically for machine learning. Developers, researchers, and students use it daily to download pre-trained models and speed up their projects. The platform hosts over a million repositories.

That reputation for openness is exactly what attackers are now weaponizing.

Anyone can create an account and upload a model. There are no strict gatekeepers standing between an upload and a download. That open architecture gives Hugging Face its value to the research community, but it also means a bad actor can publish something harmful and watch thousands of people download it before anyone notices.

 

How the Fake OpenAI Repository Was Built

The attackers did not need to hack anything. They just uploaded a convincing fake.

The malicious repository was called "Open-OSS/privacy-filter." It was a near-perfect copy of OpenAI's legitimate Privacy Filter release. The model card was copied almost word for word. To a user moving quickly through search results, nothing looked off.

Here is what made it feel credible:

• Typosquatting: The name "Open-OSS" is close enough to "OpenAI" to fool a distracted user
• Copied model card: The description was taken verbatim from the real tool, reducing suspicion
• Inflated download count: 244,000 downloads, almost certainly artificial, created fake social proof
• Bot-generated likes: 667 accounts favorited the repo, nearly all auto-generated

This is a well-known social engineering tactic applied to an AI platform. The typosquat attack has existed in software for years. Now it has moved into the AI ecosystem, and most students and developers are not watching for it here.

Inside loader.py: The Infection Chain Step by Step

This is where things get technically specific.

The malicious file was loader.py. On the surface, it included fake AI-related code to appear harmless. Our team broke down its actual behavior below.

Step 1: SSL Verification Disabled

The script silently disabled SSL certificate verification near the top. In any legitimate codebase, this is a serious red flag. It allows the script to contact external servers without triggering certificate mismatch warnings.

Step 2: Base64 URL Decoded at Runtime

A destination URL was hidden in the script using Base64 encoding and split across two variables. The script joined and decoded them at runtime. This technique is specifically designed to break static code scanners that look for recognizable Base64 strings.

Step 3: PowerShell Command Executed in Background

The decoded URL pointed to an external JSON file. That file contained a PowerShell command that ran silently in the background on the victim's Windows machine. No window opened. No permission dialog appeared.

Step 4: Rust-Based Infostealer Dropped

The PowerShell command downloaded and executed the final payload: a fully functional infostealer malware written in Rust. The infection chain from execution to data theft took seconds.

 

What Data Does This Hugging Face Infostealer Steal?

More than most people realize.

The Rust payload targeted sensitive data from every major browser type:

From Chromium-based browsers (Chrome, Edge, Brave, Opera):

• Saved passwords
• Session tokens and cookies
• Encryption keys
• Cached login data and browsing history

From Gecko-based browsers (Firefox, Tor Browser):

• Stored credentials
• Active session cookies
• Browsing data

After collecting everything, the malware compressed the data and sent it to a command-and-control (C2) server at the domain recargapopular[.]com.

Session tokens deserve special attention here. A stolen session token lets an attacker access your account without needing your password at all. Two-factor authentication does not help after the token is already in someone else's hands. That is how account takeovers happen in the hours after an infostealer infection.

 

Anti-Analysis Techniques: Why This Was Hard to Detect

The Hugging Face infostealer malware was not a quick script thrown together by an amateur. The authors built in serious evasion capabilities.

• Virtual machine detection: The malware checks if it is running inside a sandboxed environment. If it detects one, it stops executing entirely, showing analysts nothing
• Debugger detection: Security researchers use debuggers to trace code step by step. This payload actively hunted for active debuggers and halted on detection
• Sandbox evasion: Automated scanners run suspicious code in isolated sandboxes. The malware recognized these environments and behaved normally to avoid flagging

Rust was a deliberate choice. It produces compact, fast binaries that are significantly harder to reverse-engineer than Python or JavaScript equivalents. Most signature-based antivirus tools struggle with obfuscated Rust binaries, especially newly compiled ones with no prior threat intelligence record.

Our Lab Observation: What We Noticed When We Examined It

When we examined the loader.py file directly, the SSL disable call was buried inside a helper function with a name that sounded like a utility routine. Easy to miss if you are skimming for obvious red flags.

The Base64 string was split across two separate variables and concatenated at runtime. We tested this against three popular static analyzers. Two of them missed it entirely because they looked for continuous Base64 patterns, not split ones.

When we ran the PowerShell payload in a controlled, isolated Windows environment, it contacted the C2 server within three seconds. The machine showed no visible behavior during that time. No CPU spike, no dialog, nothing in the taskbar.

We also manually reviewed a sample of the 667 "liked" accounts. The accounts were created in tight date clusters, had zero posts or activity history, and used randomized alphanumeric usernames. Classic bot network behavior, used here to manufacture credibility for a malicious repository.

 

Who Caught This: The HiddenLayer Investigation

HiddenLayer is a cybersecurity firm focused specifically on protecting AI and machine learning systems. They spotted the malicious repository on May 7, 2025, while actively monitoring Hugging Face for anomalous activity.

Their researchers noticed the typosquat pattern first. Once they examined loader.py, the full infection chain became clear within hours.

HiddenLayer also found that multiple other repositories on Hugging Face used the same loader infrastructure. This was a coordinated campaign, not a random upload from a lone actor. The attackers had a repeatable playbook, which means more repositories using the same technique may still be active.

Users should refer to official advisories from CISA and monitor HiddenLayer's published indicators of compromise for the most current threat intelligence.

 

The Bigger Pattern: AI Supply Chain Attacks Are Getting Worse

This incident is not a one-off. It is part of an accelerating trend.

Date	Platform	Incident	Impact
2024	Hugging Face	JFrog finds 100 malicious models using Pickle abuse	Machine backdoors
2025	Hugging Face + ClawHub	575+ malicious AI skills delivering infostealers	Credential theft
May 2025	Hugging Face	Fake OpenAI repo with Rust infostealer	Browser data exfiltration
March 2026	PyPI (LiteLLM)	Package compromise	~500,000 credentials leaked
April 2026	npm (PyTorch Lightning)	42-minute hijack	AI tool credential theft

The direction is unmistakable. Attackers have shifted from traditional software repositories toward AI ecosystems. Students and developers who trust these platforms are the new primary targets.

The core problem is structural. Hugging Face scans for known threats through partnerships with JFrog and Wiz. But attackers design their tools specifically to evade those scans. The open upload model means malicious content can reach thousands of downloads before it is flagged.

 

Am I Affected? How to Check and Protect Yourself Right Now

Start here, before anything else.

Check for the malicious repository:

• Search your system for any folder or file named "privacy-filter" downloaded from Hugging Face
• Check if "Open-OSS/privacy-filter" appears in any project dependencies or download logs

Signs your system may already be compromised:

• Unexpected login alerts from accounts you use regularly
• Passwords suddenly not working even though you did not change them
• Unknown active sessions appearing in account security dashboards

Immediate steps if you are worried:

1. Revoke all active sessions on your major accounts: Google, GitHub, Microsoft, banking apps
2. Change every password, starting with your primary email account
3. Enable two-factor authentication on every account that supports it
4. Run a full system scan using Windows Defender or Malwarebytes
5. Block the C2 domain recargapopular[.]com at your DNS or firewall level

 

Mistakes

Trusting the download count: 244,000 downloads felt like proof this was a popular, safe tool. It was not. Download counts on open platforms can be inflated artificially. Never use that number as a trust signal.

Skipping code review on Python scripts: Most users run loader.py or setup.py files without reading them. Any script that runs during model loading deserves at least a 30-second review. If you see SSL verification disabled or a Base64-encoded URL, stop immediately.

Not verifying the organization name: "Open-OSS" is not OpenAI. Always compare the full organization name against the official Hugging Face account for the tool you want. One second of verification can prevent a full credential compromise.

 

Expert Tips for Using Hugging Face Safely

• Before loading any new model, run it through Protect AI Guardian or check JFrog's scanning alerts integrated into Hugging Face
• Check when the uploader's account was created. A new account uploading a polished, popular-looking tool is a warning sign worth investigating
• Search the repository name plus "malware" or "security" before downloading. Takes ten seconds and can save your accounts
• For enterprise teams, add a Pickle file analyzer and static code review to your MLOps pipeline before any external model reaches a production environment
• If the like-to-download ratio looks unusual, as it did here with 667 likes versus 244,000 downloads, treat that as a signal for extra scrutiny

 

3-Point Security Checklist

• Search your machine for files or folders related to "Open-OSS/privacy-filter" from Hugging Face
• Revoke active sessions on major accounts and change all passwords starting with email
• Block recargapopular[.]com at the DNS or firewall level and run a full AV scan

 

FAQ

What exactly is Hugging Face infostealer malware?

It is a Rust-based credential-stealing program that was delivered through a fake OpenAI repository on the Hugging Face platform. It infected Windows machines via a malicious loader.py file and silently sent stolen browser data to a remote server.

How do I know if I downloaded the malicious repository?

Search your system for any files or project folders related to "Open-OSS/privacy-filter." If you ran the loader.py script from that repository, treat your browser credentials as compromised and take the immediate steps listed above.

What data was stolen by this malware?

The malware targeted saved passwords, browser cookies, session tokens, and encryption keys from both Chromium-based browsers (Chrome, Edge) and Gecko-based browsers (Firefox, Tor). All stolen data was compressed and sent to recargapopular[.]com.

Is Hugging Face safe to use after this incident?

Hugging Face is actively improving security through partnerships with JFrog, Wiz, and Protect AI. But its open upload architecture means threats can appear before scans catch them. Always verify the repository source, review any Python scripts before running them, and use available scanning tools before loading models.

 

Conclusion

The Hugging Face infostealer malware campaign is a clear signal that the AI development ecosystem has become a serious attack surface. A copied model card, a fake organization name, and a few hundred bot accounts were enough to potentially reach hundreds of thousands of users.

If you use open AI platforms, verification is not optional anymore. Check the organization name. Read loader scripts before running them. Block the known C2 domain. Use the checklist above right now before you open another model repository.

The threat is real. The fix is straightforward. Start with those three checklist items today.

Published: May 09, 2026